#Defaults always_set_home
#  If enabled, sudo will set the HOME environment variable to the home directory of the target user
#  (which is root unless the -u option is used).  This effectively means that the -H option
#  always_set_home is only effective for configurations where either env_reset is disabled or HOME is present
#  in the env_keep list.  Default: OFF

#Defaults authenticate
#  If set, users must authenticate themselves via a password (or other means of authentication)
#  before they may run commands.  This default may be overridden via the PASSWD and NOPASSWD

#Defaults closefrom_override
#  If set, the user may use sudo's -C option which overrides the default starting
#  point at which sudo begins closing open file descriptors.  Default: OFF

#Defaults compress_io
#  If set, and sudo is configured to log a command's input or output, the I/O logs will be
#  compressed using zlib.  This flag is on by default when sudo is compiled with zlib support.

#Defaults env_editor
#  If set, visudo will use the value of the EDITOR or VISUAL environment variables before falling back on the default
#  editor list.  Note that this may create a security hole as it allows th separated list of editors in the editor
#  variable.  visudo will then only use the EDITOR or VISUAL if they match a value specified in editor.  On by default.

#Defaults env_reset
#  If set, sudo will run the command in a minimal environment containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME,
#  USER, USERNAME and SUDO_* variables.  Any variables in the caller's env in the file specified by the env_file
#  option (if any).  The default contents of the env_keep and env_check lists are displayed when sudo is run by
#  root with the -V option.

#Defaults fast_glob
#  Normally, sudo uses the glob(3) function to do shell-style globbing when matching path names.
#  However, since it accesses the file system, glob(3) can take a long time to complete for som (automounted).
#  The fast_glob option causes sudo to use the fnmatch(3) function, which does not access the file system to do
#  its matching.  The disadvantage of fast_glob is that it is unable to ma names that include globbing characters
#  are used with the negation operator, '!', as such rules can be trivially bypassed.  As such, this option should
#  not be used when sudoers contains rules that

#Defaults fqdn
#  Set this flag if you want to put fully qualified host names in the sudoers file.  I.e., instead of myhost you
#  would use myhost.mydomain.edu.  You may still use the short form if you wish (and sudo unusable if DNS stops
#  working (for example if the machine is not plugged into the network).  Also note that you must use the
#  host's official name as DNS knows it.  That is, you may not use a all aliases from DNS.  If your machine's
#  host name (as returned by the hostname command) is already fully qualified you shouldn't need to set fqdn.
#  Default: OFF

#Defaults ignore_dot
#  If set, sudo will ignore '.' or '' (current dir) in the PATH environment variable; the PATH
#  itself is not modified.  Default: OFF

#Defaults ignore_local_sudoers
#  If set via LDAP, parsing of /etc/sudoers will be skipped.  This is intended for Enterprises that wish to prevent
#  the usage of local sudoers files so that only LDAP is used.  /etc/sudoers does not even need to exist.
#  Since this option tells sudo how to behave when no specific LDAP entries have been matched, this sudo
#  Option is only meaningful for the cn=default

#Defaults insults
#  If set, sudo will insult users when they enter an incorrect password.  Default: OFF

#Defaults log_host
#  If set, the host name will be logged in the (non-syslog) sudo log file.  Default: OFF

#Defaults log_input
#  If set, sudo will run the command in a pseudo tty and log all user input.  If the standard
#  input is not connected to the user's tty, due to I/O redirection or because the command is part Input is logged
#  to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that
#  is included in the normal sudo log line, prefixed with TSID=.  Note that user input may contain sensitive
#  information such as passwords (even if they are not echoed to the screen), which will be stored in the log file
#  unencrypted.

#Defaults log_output
#  If set, sudo will run the command in a pseudo tty and log all output that is sent to the
#  screen, similar to the script(1) command.  If the standard output or standard error is not connec is also captured and
#  stored in separate log files. Output is logged to the directory specified by the iolog_dir option (/var/log/sudo-io
#  by default) using a unique session ID that is included in the normal sudo log line, prefixed with TSID=.  The Output
#  logs may be viewed with the sudoreplay(8) utility, which can also be used to list or search the available logs.

#Defaults log_year
#  If set, the four-digit year will be logged in the (non-syslog) sudo log file.  Default: OFF

#Defaults long_otp_prompt
#  When validating with a One Time Password (OTP) scheme such as S/Key or OPIE, a two-line
#  prompt is used to make it easier to cut and paste the challenge to a local window

#Defaults mail_always
#  Send mail to the mailto user every time a users runs sudo.  Default: OFF

#Defaults mail_badpass
#  Send mail to the mailto user if the user running sudo does not enter the correct password.
#  Default: OFF

#Defaults mail_no_host
#  If set, mail will be sent to the mailto user if the invoking user exists in the sudoers
#  file, but is not allowed to run commands on the current host.  Default: OFF

#Defaults mail_no_perms
#  If set, mail will be sent to the mailto user if the invoking user is allowed to use sudo
#  but the command they are trying is not listed in their sudoers file entry or is explicitly denied

#Defaults mail_no_user
#  If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file.
#  Default: ON

#Defaults noexec
#  If set, all commands run via sudo will behave as if the NOEXEC tag has been set, unless overridden
#  by a EXEC tag.  See the description of NOEXEC and EXEC below as well as the "PREVENTING SHE

#Defaults path_info
#  Normally, sudo will tell the user when a command could not be found in their PATH environment
#  variable.  Some sites may wish to disable this as it could be used to gather information on t the executable is
#  simply not in the user's PATH, sudo will tell the user that they are not allowed to run it, which can be confusing.
#  Default: ON

#Defaults passprompt_override
#  The password prompt specified by passprompt will normally only be used if the password prompt provided by
#  systems such as PAM matches the string "Password:"

#Defaults preserve_groups
#  By default, sudo will initialize the group vector to the list of groups the target
#  user is in.  When preserve_groups is set, the user's existing group vector is left unaltered.

#Defaults pwfeedback
#  By default, sudo reads the password like most other Unix programs, by turning off echo
#  until the user hits the return (or enter) key.  Some users become confused by this as it appears to the user
#  presses a key.  Note that this does have a security impact as an onlooker may be able to determine the length of
#  the password being entered.  Default: OFF

#Defaults requiretty
#  If set, sudo will only run when the user is logged in to a real tty.  When this flag is set,
#  sudo can only be run from a login session and not via other means such as cron(8) or cgi-bin

#Defaults root_sudo
#  If set, root is allowed to run sudo too.  Disabling this prevents users from "chaining" sudo
#  commands to get a root shell by doing something like "sudo sudo /bin/sh".  Note, however, that real additional
#  security; it exists purely for historical reasons.  Default: ON

#Defaults rootpw
#  If set, sudo will prompt for the root password instead of the password of the invoking user.
#  Default: OFF

#Defaults runaspw
#  If set, sudo will prompt for the password of the user defined by the runas_default option
#  (defaults to root) instead of the password of the invoking user.  Default: OFF

#Defaults set_home
#  If enabled and sudo is invoked with the -s option the HOME environment variable will be set
#  to the home directory of the target user (which is root unless the -u option is used).  So set_home is only
#  effective for configs where either env_reset is disabled or HOME is present in the env_keep list.  Default: OFF

#Defaults set_logname
#  Normally, sudo will set the LOGNAME, USER and USERNAME environment variables to the name
#  of the target user (usually root unless the -u option is given).  However, since some programs ( may be desirable
#  to change this behavior.  This can be done by negating the set_logname option.  Note that if the env_reset option
#  has not been disabled, entries in the env_keep list will override

#Defaults set_utmp
#  When enabled, sudo will create an entry in the utmp (or utmpx) file when a pseudo-tty is
#  allocated.  A pseudo-tty is allocated by sudo when the log_input, log_output or use_pty flags are e the tty, time,
#  type and pid fields updated.  Default: ON

#Defaults setenv
#  Allow the user to disable the env_reset option from the command line via the -E option.
#  Additionally, environment variables set via the command line are not subject to the restrictions impo variables
#  in this manner.  Default: OFF

#Defaults shell_noargs
#  If set and sudo is invoked with no arguments it acts as if the -s option had been given.
#  That is, it runs a shell as root (the shell is determined by the SHELL environment variable if is off by default.

#Defaults stay_setuid
#  Normally, when sudo executes a command the real and effective UIDs are set to the target
#  user (root by default).  This option changes that behaviour such that the real UID is left as the systems that
#  disable some potentially dangerous functionality when a program is run setuid.  This option is only effective on
#  systems with either the setreuid() or setresuid() function.  This flag

#Defaults targetpw
#  If set, sudo will prompt for the password of the user specified by the -u option (defaults to root) instead
#  of the password of the invoking user.  In addition, the timestamp file name will passwd database as an argument
#  to the -u option.  Default: OFF

#Defaults tty_tickets
#  If set, users must authenticate on a per-tty basis.  With this flag enabled, sudo will
#  use a file named for the tty the user is logged in on in the user's time stamp directory.

#Defaults umask_override
#  If set, sudo will set the umask as specified by sudoers without modification.  This makes
#  it possible to specify a more permissive umask in sudoers than the user's own umask and match user's umask and what
#  is specified in sudoers.  Default: OFF

#Defaults use_pty
#  If set, sudo will run the command in a pseudo-pty even if no I/O logging is being gone.
#  A malicious program run under sudo could conceivably fork a background process that retains to the u that impossible.
#  Default: OFF

#Defaults utmp_runas
#  If set, sudo will store the name of the runas user when updating the utmp (or utmpx) file.
#  By default, sudo stores the name of the invoking user.  Default: OFF

#Defaults visiblepw
#  By default, sudo will refuse to run if the user must enter a password but it is not possible to disable echo on the 
#  terminal. If the visiblepw flag is set, sudo will prompt for a password even when it would be visible on the screen. 
#  This makes it possible to run things like "rsh somehost sudo ls" since rsh(1) does not allocate a tty. Default: OFF

#Defaults closefrom
#  Before it executes a command, sudo will close all open file descriptors other than standard
#  input, standard output and standard error (ie: file descriptors 0-2).

#Defaults passwd_tries
#  The number of tries a user gets to enter his/her password before sudo logs the failure
#  and exits.  The default is 3.

#Defaults loglinelen
#  Number of characters per line for the file log.  This value is used to decide when to wrap
#  lines for nicer log files.  This has no effect on the syslog log file, only the file log.

#Defaults passwd_timeout
#  Number of minutes before the sudo password prompt times out, or 0 for no timeout.
#  The timeout may include a fractional component if minute granularity is insufficient, for example 2

#Defaults timestamp_timeout
#  Number of minutes that can elapse before sudo will ask for a passwd again.  The timeout
#  may include a fractional component if minute granularity is insufficient, for example 2.5. timestamp will never expire.
#  This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.

#Defaults umask
#  Umask to use when running the command.  Negate this option or set it to 0777 to preserve
#  the user's umask.  The actual umask that is used will be the union of the user's umask and the value o running
#  a command.  Note on systems that use PAM, the default PAM configuration may specify its own umask which will
#  override the value set in sudoers.

#Defaults badpass_message
#  Message that is displayed if a user enters an incorrect password.  The default is Sorry,
#  try again. unless insults are enabled.

#Defaults editor
#  A colon (':') separated list of editors allowed to be used with visudo.  visudo will choose
#  the editor that matches the user's EDITOR environment variable if possible, or the first editor in

#Defaults iolog_dir
#  The top-level directory to use when constructing the path name for the input/output log
#  directory.  Only used if the log_input or log_output options are enabled or when the LOG_INPUT or L directory.
#  The default is "/var/log/sudo-io". The following percent (%) escape sequences are supported:
#    %{seq}         - expanded to base-36 sequence number, such as 0100A5, to form a new directory, e.g. 01/00/A5
#    %{user}        - expanded to the invoking user's login name
#    %{group}       - expanded to the name of the invoking user's real group ID
#    %{runas_user}  - expanded to the login name of the user the command will be run as (e.g. root)
#    %{runas_group} - expanded to the group name of the user the command will be run as (e.g. wheel)
#    %{hostname}    - expanded to the local host name without the domain name
#    %{command}     - expanded to the base name of the command being run In addition, any escape sequences supported by
#                     strftime() function will be expanded. To include a literal % character, the string %% should be used.

#Defaults iolog_file
#  The path name, relative to iolog_dir, in which to store input/output logs when the log_input or log_output options are
#  enabled or when the LOG_INPUT or LOG_OUTPUT tags are present for a See the iolog_dir option above for a list of
#  supported percent (%) escape sequences. In addition to the escape sequences, path names that end in six or more Xs will
#  have the Xs replaced with a unique combination of digits and letters, similar to the mktemp() function.

#Defaults mailsub
#  Subject of the mail sent to the mailto user. The escape %h will expand to the host name of
#  the machine.  Default is *** SECURITY information for %h ***.

#Defaults noexec_file
#  This option is no longer supported.  The path to the noexec file should now be set in the /etc/sudo.conf file.

#Defaults passprompt
#  The default prompt to use when asking for a password; can be overridden via the -p option or the SUDO_PROMPT
#  environment variable.  The following percent (%) escape sequences are supported:
#    %H - expanded to the local host name including the domain (only if the host name is fqdn or fqdn option is set)
#    %h - expanded to the local host name without the domain name
#    %p - expanded to the user whose password is being asked for (respects the rootpw, targetpw and runaspw flags)
#    %U - expanded to the login name of the user the command will be run as (defaults to root)
#    %u - expanded to the invoking user's login name
#    %% - two consecutive % characters are collapsed into a single % character
#  The default value is Password:.

#Defaults runas_default
#  The default user to run commands as if the -u option is not specified on the command line. This defaults to root.

#Defaults syslog_badpri
#  Syslog priority to use when user authenticates unsuccessfully.  Defaults to alert.
#  alert, crit, debug, emerg, err, info, notice, and warning.

#Defaults syslog_goodpri
#  Syslog priority to use when user authenticates successfully.  Defaults to notice. See syslog_badpri for the priorities.

#Defaults sudoers_locale
#  Locale to use when parsing the sudoers file, logging commands, and sending email.
#  Note that changing the locale may affect how sudoers is interpreted.  Defaults to "C".

#Defaults timestampdir
#  The directory in which sudo stores its timestamp files.  The default is /var/db/sudo.

#Defaults timestampowner
#  The owner of the timestamp directory and the timestamps stored therein.  The default is root.

#Defaults env_file
#  The env_file option specifies the fully qualified path to a file containing variables to
#  be set in the environment of the program being run.  Entries in this file should either be of the f quotes.
#  Variables in this file are subject to other sudo environment settings such as env_keep and env_check.

#Defaults exempt_group
#  Users in this group are exempt from password and PATH requirements.  The group name specified should not include
#  a % prefix.  This is not set by default.

#Defaults group_plugin
#  A string containing a sudoers group plugin with optional arguments.  This can be used to implement support for the
#  nonunix_group syntax described earlier.  The string should consist of configuration arguments the plugin requires.
#  These arguments (if any) will be passed to the plugin's initialization function. If arguments are present, the
#  string must be enclosed in double quote For example, given /etc/sudo-group, a group file in Unix group format,
#  the sample group plugin can be used: Defaults group_plugin="sample_group.so /etc/sudo-group"
#  For more information see sudo_plugin(5).

#Defaults lecture
#  This option controls when a short lecture will be printed along with the password prompt.  The default value is once.
#  It has the following possible values:
#    always - Always lecture the user.
#    never  - Never lecture the user.
#    once   - Only lecture the user the first time they run sudo.
#  If no value is specified, a value of once is implied.  Negating the option results in a value of never being used.

#Defaults lecture_file
#  Path to a file containing an alternate sudo lecture that will be used in place of the standard lecture if the named
#  file exists.  By default, sudo uses a built-in lecture.

#Defaults listpw
#  This option controls when a password will be required when a user runs sudo with the -l option.
#  It has the following possible values:
#    all    - All the user's sudoers entries for the current host must have the NOPASSWD set to avoid entering a pass.
#    always - The user must always enter a password to use the -l option.
#    any    - At least one of the user's sudoers entries for the current host must have the NOPASSWD set to avoid pass.
#    never  - The user need never enter a password to use the -l option.
#  If no value is specified, a value of any is implied.  The default value is any.

#Defaults logfile
#  Path to the sudo log file (not the syslog log file).  Setting a path turns on logging to a file;
#  negating this option turns it off.  By default, sudo logs via syslog.

#Defaults mailerflags
#  Flags to use when invoking mailer. Defaults to -t.

#Defaults mailerpath
#  Path to mail program used to send warning mail.  Defaults to the path to sendmail found at configure time.

#Defaults mailfrom
#  Address to use for the "from" address when sending warning and error mail.  The address should
#  be enclosed in double quotes (") to protect against sudo interpreting the @ sign.

#Defaults mailto
#  Address to send warning and error mail to.  The address should be enclosed in double quotes
#  (") to protect against sudo interpreting the @ sign.  Defaults to root.

#Defaults secure_path
#  Path used for every command run from sudo.  If you don't trust the people running sudo to have a sane PATH environment
#  variable you may want to use this.  Another use is if you want to option are not affected by secure_path.
#  This option is not set by default.

#Defaults syslog
#  Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to auth.
#  authpriv (if OS supports it), auth, daemon, user, local0, local1, local2, local3, local4, local5, local6, and local7.

#Defaults verifypw
#  This option controls when a password will be required when a user runs sudo with the -v option.
#  It has the following possible values:
#    all    - All the user's sudoers entries for the current host must have the NOPASSWD flag to avoid pw.
#    always - The user must always enter a password to use the -v option.
#    any    - At least one of the user's sudoers entries for the current host must have NOPASSWD to avoid pw.
#    never  - The user need never enter a password to use the -v option
#  If no value is specified, a value of all is implied.  Negating the option results in a value of never being used.
#  The default value is all.

#Defaults env_check
#  Environment variables to be removed from the user's environment if the variable's value contains % or / characters.
#  This can be used to guard against printf-style format vulnerabilities value without double-quotes.  The list can be
#  replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively.  Regardless of
#  whether the env_reset option is ena they pass the aforementioned check. The default list of environment variables
#  to check is displayed when sudo is run by root with the -V option.

#Defaults env_delete
#  Environment variables to be removed from the user's environment when the env_reset option is not in effect.  The
#  argument may be a double-quoted, space-separated list or a single value w +=, -=, and ! operators respectively.
#  The default list of environment variables to remove is displayed when sudo is run by root with the -V option.

#Defaults env_keep
#  Environment variables to be preserved in the user's environment when the env_reset option is in effect.  This
#  allows fine-grained control over the environment sudo-spawned processes will r quotes.  The list can be replaced,
#  added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively.