This can be used by a user to log commands through sudo even when a root shell has been invoked.
It also allows the -e option to remain useful even when invoked via a sudo-run script or program.
By default, sudoers will log via syslog(3) but this is changeable via the syslog and logfile Defaults settings. Since environment variables can influence program behavior, sudoers provides a means to restrict which variables from the user's environment are inherited by the command to be run.
The address used for such mail is configurable via the mailto Defaults entry (described later) and defaults to Note that no mail will be sent if an unauthorized user tries to run sudo with the -l or -v option unless there is an authentication error and either the mail_always or mail_badpass flags are enabled.
This allows users to determine for themselves whether or not they are allowed to use sudo.
The sudoers policy plugin determines a user's sudo privileges. The policy is driven by the /etc/sudoers file or, optionally in LDAP.
The policy format is described in detail in the SUDOERS FILE FORMAT section.
If no sudo.conf(5) file is present, or if it contains no Starting with sudo 1.8.5, it is possible to specify optional arguments to the sudoers plugin in the sudo.conf(5) file.
These arguments, if present, should be listed after the path to the plugin (i.e. Multiple arguments may be specified, separated by white space.
If, however, the env_reset option is disabled, any variables not explicitly denied by the env_check and env_delete options are inherited from the invoking process.
In this case, env_check and env_delete behave like a blacklist.
On systems that support PAM where the pam_env module is enabled for sudo, variables in the PAM environment may be merged in to the environment.
If a variable in the PAM environment is already present in the user's environment, the value will only be overridden if the variable was not preserved by sudoers.
Environment variables with a value beginning with are removed unless both the name and value parts are matched by env_keep or env_check, as they will be interpreted as functions by older versions of the bash shell.