docs: fix sudoers(5)

e-kwsm · e-kwsm · commit 4f23c5b321f5 · 2026-04-12T12:28:18.000+09:00
- iolog_flush: boolean
- iolog_mode: integer
- passwd_timeout: decimal or boolean
- timestamp_timeout: decimal or boolean
diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in
@@ -3195,6 +3195,19 @@ This flag is
 \fI@insults@\fR
 by default.
 .TP 18n
+iolog_flush
+If set,
+\fBsudo\fR
+will flush I/O log data to disk after each write instead of buffering it.
+This makes it possible to view the logs in real-time as the program
+is executing but may significantly reduce the effectiveness of I/O
+log compression.
+This flag is
+\fIoff\fR
+by default.
+.sp
+This setting is only supported by version 1.8.20 or higher.
+.TP 18n
 log_allowed
 If set,
 \fBsudoers\fR
@@ -4481,31 +4494,6 @@ This value is used to decide when to wrap lines for nicer log files.
 This has no effect on the syslog log file, only the file log.
 The default is @loglen@ (use 0 or negate the option to disable word wrap).
 .TP 18n
-passwd_timeout
-Number of minutes before the
-\fBsudo\fR
-password prompt times out, or 0 for no timeout.
-The timeout may include a fractional component
-if minute granularity is insufficient, for example 2.5.
-The default is @password_timeout@.
-.TP 18n
-timestamp_timeout
-.br
-Number of minutes that can elapse before
-\fBsudo\fR
-will ask for a password again.
-The timeout may include a fractional component if
-minute granularity is insufficient, for example 2.5.
-The default is @timeout@.
-Set this to 0 to always prompt for a password.
-If set to a value less than 0 the user's time stamp will not expire
-until the system is rebooted.
-This can be used to allow users to create or delete their own time stamps via
-\(oqsudo \-v\(cq
-and
-\(oqsudo \-k\(cq
-respectively.
-.TP 18n
 umask
 File mode creation mask to use when running the command.
 Negate this option or set it to 0777 to prevent
@@ -4534,6 +4522,46 @@ the umask specified by PAM or login.conf will take precedence.
 The umask setting in PAM is not used for
 \fBsudoedit\fR,
 which does not create a new PAM session.
+.TP 18n
+iolog_mode
+The file mode to use when creating I/O log files.
+Mode bits for read and write permissions for owner, group, or other
+are honored, everything else is ignored.
+The file permissions will always include the owner read and
+write bits, even if they are not present in the specified mode.
+When creating I/O log directories, search (execute) bits are added
+to match the read and write bits specified by
+\fIiolog_mode\fR.
+Defaults to 0600 (read and write by user only).
+.sp
+This setting is only supported by version 1.8.19 or higher.
+.PP
+\fBDecimals that can be used in a boolean context\fR:
+.TP 18n
+passwd_timeout
+Number of minutes before the
+\fBsudo\fR
+password prompt times out, or 0 for no timeout.
+The timeout may include a fractional component
+if minute granularity is insufficient, for example 2.5.
+The default is @password_timeout@.
+.TP 18n
+timestamp_timeout
+.br
+Number of minutes that can elapse before
+\fBsudo\fR
+will ask for a password again.
+The timeout may include a fractional component if
+minute granularity is insufficient, for example 2.5.
+The default is @timeout@.
+Set this to 0 to always prompt for a password.
+If set to a value less than 0 the user's time stamp will not expire
+until the system is rebooted.
+This can be used to allow users to create or delete their own time stamps via
+\(oqsudo \-v\(cq
+and
+\(oqsudo \-k\(cq
+respectively.
 .PP
 \fBStrings\fR:
 .if \n(AA \{\
@@ -4790,19 +4818,6 @@ ends in six or
 more
 \fIX\fRs.
 .TP 18n
-iolog_flush
-If set,
-\fBsudo\fR
-will flush I/O log data to disk after each write instead of buffering it.
-This makes it possible to view the logs in real-time as the program
-is executing but may significantly reduce the effectiveness of I/O
-log compression.
-This flag is
-\fIoff\fR
-by default.
-.sp
-This setting is only supported by version 1.8.20 or higher.
-.TP 18n
 iolog_group
 The group name to look up when setting the group-ID on new I/O log
 files and directories.
@@ -4820,19 +4835,6 @@ are set, I/O log files and directories are created with group-ID 0.
 .sp
 This setting is only supported by version 1.8.19 or higher.
 .TP 18n
-iolog_mode
-The file mode to use when creating I/O log files.
-Mode bits for read and write permissions for owner, group, or other
-are honored, everything else is ignored.
-The file permissions will always include the owner read and
-write bits, even if they are not present in the specified mode.
-When creating I/O log directories, search (execute) bits are added
-to match the read and write bits specified by
-\fIiolog_mode\fR.
-Defaults to 0600 (read and write by user only).
-.sp
-This setting is only supported by version 1.8.19 or higher.
-.TP 18n
 iolog_user
 The user name to look up when setting the user and group-IDs on new
 I/O log files and directories.
diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in
@@ -3017,6 +3017,18 @@ will insult users when they enter an incorrect password.
 This flag is
 .Em @insults@
 by default.
+.It iolog_flush
+If set,
+.Nm sudo
+will flush I/O log data to disk after each write instead of buffering it.
+This makes it possible to view the logs in real-time as the program
+is executing but may significantly reduce the effectiveness of I/O
+log compression.
+This flag is
+.Em off
+by default.
+.Pp
+This setting is only supported by version 1.8.20 or higher.
 .It log_allowed
 If set,
 .Nm
@@ -4232,28 +4244,6 @@ Number of characters per line for the file log.
 This value is used to decide when to wrap lines for nicer log files.
 This has no effect on the syslog log file, only the file log.
 The default is @loglen@ (use 0 or negate the option to disable word wrap).
-.It passwd_timeout
-Number of minutes before the
-.Nm sudo
-password prompt times out, or 0 for no timeout.
-The timeout may include a fractional component
-if minute granularity is insufficient, for example 2.5.
-The default is @password_timeout@.
-.It timestamp_timeout
-Number of minutes that can elapse before
-.Nm sudo
-will ask for a password again.
-The timeout may include a fractional component if
-minute granularity is insufficient, for example 2.5.
-The default is @timeout@.
-Set this to 0 to always prompt for a password.
-If set to a value less than 0 the user's time stamp will not expire
-until the system is rebooted.
-This can be used to allow users to create or delete their own time stamps via
-.Ql sudo \-v
-and
-.Ql sudo \-k
-respectively.
 .It umask
 File mode creation mask to use when running the command.
 Negate this option or set it to 0777 to prevent
@@ -4282,6 +4272,44 @@ the umask specified by PAM or login.conf will take precedence.
 The umask setting in PAM is not used for
 .Nm sudoedit ,
 which does not create a new PAM session.
+.It iolog_mode
+The file mode to use when creating I/O log files.
+Mode bits for read and write permissions for owner, group, or other
+are honored, everything else is ignored.
+The file permissions will always include the owner read and
+write bits, even if they are not present in the specified mode.
+When creating I/O log directories, search (execute) bits are added
+to match the read and write bits specified by
+.Em iolog_mode .
+Defaults to 0600 (read and write by user only).
+.Pp
+This setting is only supported by version 1.8.19 or higher.
+.El
+.Pp
+.Sy Decimals that can be used in a boolean context :
+.Bl -tag -width 16n
+.It passwd_timeout
+Number of minutes before the
+.Nm sudo
+password prompt times out, or 0 for no timeout.
+The timeout may include a fractional component
+if minute granularity is insufficient, for example 2.5.
+The default is @password_timeout@.
+.It timestamp_timeout
+Number of minutes that can elapse before
+.Nm sudo
+will ask for a password again.
+The timeout may include a fractional component if
+minute granularity is insufficient, for example 2.5.
+The default is @timeout@.
+Set this to 0 to always prompt for a password.
+If set to a value less than 0 the user's time stamp will not expire
+until the system is rebooted.
+This can be used to allow users to create or delete their own time stamps via
+.Ql sudo \-v
+and
+.Ql sudo \-k
+respectively.
 .El
 .Pp
 .Sy Strings :
@@ -4515,18 +4543,6 @@ overwritten unless
 ends in six or
 more
 .Em X Ns s .
-.It iolog_flush
-If set,
-.Nm sudo
-will flush I/O log data to disk after each write instead of buffering it.
-This makes it possible to view the logs in real-time as the program
-is executing but may significantly reduce the effectiveness of I/O
-log compression.
-This flag is
-.Em off
-by default.
-.Pp
-This setting is only supported by version 1.8.20 or higher.
 .It iolog_group
 The group name to look up when setting the group-ID on new I/O log
 files and directories.
@@ -4543,18 +4559,6 @@ nor
 are set, I/O log files and directories are created with group-ID 0.
 .Pp
 This setting is only supported by version 1.8.19 or higher.
-.It iolog_mode
-The file mode to use when creating I/O log files.
-Mode bits for read and write permissions for owner, group, or other
-are honored, everything else is ignored.
-The file permissions will always include the owner read and
-write bits, even if they are not present in the specified mode.
-When creating I/O log directories, search (execute) bits are added
-to match the read and write bits specified by
-.Em iolog_mode .
-Defaults to 0600 (read and write by user only).
-.Pp
-This setting is only supported by version 1.8.19 or higher.
 .It iolog_user
 The user name to look up when setting the user and group-IDs on new
 I/O log files and directories.
