##
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.

## Please consider adding local content in /etc/sudoers.d/ instead of
## directly modifying this file.

# This causes mail to be sent to the mailto user if the user running
# sudo does not enter the correct password. This is off in Debian by
# default since Debian 14.
#Defaults	mail_badpass

##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias	WEBSERVERS = www1, www2, www3

##
## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias	ADMINS = millert, dowdy, mikef

##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# 			    /usr/bin/pkill, /usr/bin/top
#
# Cmnd_Alias	REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
#
# Cmnd_Alias	PKGMAN = /usr/bin/apt, /usr/bin/dpkg, /usr/bin/rpm, \
# 			 /usr/bin/yum, /usr/bin/dnf,  /usr/bin/zypper, \
# 			 /usr/bin/pacman

##
## Defaults specification
##
## Preserve editor environment variables for visudo.
## To preserve these for all commands, remove the "!visudo" qualifier.
Defaults!/usr/sbin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL"
##
## Preserve EDITOR environment variables for all users in the sudo group.
## This allows running arbitrary commands, but sudo members are root
## equivalent anyway.
#Defaults:%sudo env_keep += "SUDO_EDITOR EDITOR VISUAL"
##
## Use a hard-coded PATH instead of the user's to find commands.
## This also helps prevent poorly written scripts from running
## arbitrary commands under sudo.
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file.  Note that other programs use HOME to find   
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods.  Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to preserve proxy settings from user environments of root
## equivalent users (group sudo)
# Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
##
## Uncomment to preserve environment variables for grep
# Defaults:%sudo env_keep += "GREP_COLOR"
##
## Uncomment to preserve git related environment. While you shouldn't
## normally run git as root, you need to with etckeeper
# Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
##
## Uncomment to preserve Debian-related environment variables. root 
## won't have sensible values for them.
# Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
##
## Uncomment to allow root to use the calling user's ssh agent
## transparently. This enabled "sudo scp" or "sudo rsync"
# Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
##
## Uncomment to allow root to use the calling user's gpg agent
## transparently. This enabled "sudo scp" or "sudo rsync"
# Defaults:%sudo env_keep += "GPG_AGENT_INFO"
##
## Uncomment to disable "use_pty" when running commands as root.
## Commands run as non-root users will run in a pseudo-terminal,
## not the user's own terminal, to prevent command injection.
# Defaults>root !use_pty
##
## Uncomment to run commands in the background by default.
## This can be used to prevent sudo from consuming user input while
## a non-interactive command runs if "use_pty" or I/O logging are
## enabled.  Some commands may not run properly in the background.
# Defaults exec_background
##
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
## Sudo will create up to 2,176,782,336 I/O logs before recycling them.
## Set maxseq to a smaller number if you don't have unlimited disk space.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
# Defaults maxseq = 1000
##
## Uncomment to disable intercept and log_subcmds for debuggers and
## tracers.  Otherwise, anything that uses ptrace(2) will be unable
## to run under sudo if intercept_type is set to "trace".
# Defaults!DEBUGGERS !intercept, !log_subcmds
##
## Uncomment to disable intercept and log_subcmds for package managers.
## Some package scripts run a huge number of commands, which is made
## slower by these options and also can clutter up the logs.
# Defaults!PKGMAN !intercept, !log_subcmds
##
## Uncomment to disable PAM silent mode.  Otherwise messages by PAM
## modules such as pam_faillock will not be printed.
# Defaults !pam_silent
##
## Uncomment for sudo to require the password of the target user to
## allow changing users. By default, with this commented, sudo asks for
## the password of the calling user.
## Before uncommenting this, make sure that all your local configuration
## that is intended to escalate privileges with the credentials of the
## calling user have an explicit "Defaults:<entity> !targetpw" line.
# Defaults targetpw

##
## Runas alias specification
##

##
## User privilege specification
##
root ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command.
# This is going to become optional at some point in the future, so please
# consider adding a file in /etc/sudoers.d/zz_group_sudo containing this if
# you want the sudo group to work. See also Bug#1136732.
Defaults:%wheel !targetpw
%sudo ALL=(ALL:ALL) ALL

## Read drop-in files from /etc/sudoers.d. Consider setting
## !targetpw in your snippets, so that Debian might change the
## default at some time in the future.
## See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
