[docs] mention logfile and remove exempt_group (#1387)

konstruktoid · web-flow · commit a15a5da20335 · 2025-12-15T11:31:47.000+01:00
This PR:
- adds a note regarding `logfile` since it's a CIS Ubuntu Linux (e.g
24.04 LTS) Benchmark requirement (`5.2.3 Ensure sudo log file exists`)
- remove mentions of `exempt_group` since it's not supported

```sh
/etc/sudoers:10:10: unknown setting: 'exempt_group'
Defaults        exempt_group=sudo
                ^~~~~~~~~~~~
/etc/sudoers.d/012_logfile:1:10: unknown setting: 'logfile'
Defaults logfile="/var/log/sudo.log"
```

---------

Signed-off-by: Thomas Sjögren &lt;konstruktoid@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ To avoid that and/or to get the latest version, you can use our prepackaged bina
 
 ### Ubuntu 25.10 (Questing Quokka)
 
-sudo-rs is installed and enabled by default; you can control which sudo version is being used by running 
+sudo-rs is installed and enabled by default; you can control which sudo version is being used by running
 ```sh
 update-alternatives --config sudo
 ```
@@ -70,7 +70,7 @@ We are maintaining the FreeBSD port of sudo-rs ourselves, which is available in
 pkg install sudo-rs
 ```
 To get sudo-rs using the commands `sudo`, `visudo` and `sudoedit`. This conflicts with the `security/sudo` package and so you cannot have both
-installed at the same time. 
+installed at the same time.
 
 Alternatively,
 ```
@@ -206,6 +206,7 @@ Exceptions to the above, with respect to your `/etc/sudoers` configuration:
   compatibility reasons.
 * `timestamp_type` is always set at `tty`.
 * `sudoedit_checkdir` is always `on`, and `sudoedit_follow` is always `off`.
+* `logfile` is not supported --- logging is always done via syslog.
 
 Some other notable restrictions to be aware of:
 
diff --git a/docs/man/sudoers.5.md b/docs/man/sudoers.5.md
@@ -290,8 +290,6 @@ would allow the user queen to run /bin/kill, /bin/ls, and /usr/bin/lprm as root
 
        queen     rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
 
-Note, however, that the PASSWD tag has no effect on users who are in the group specified by the exempt_group setting.
-
 By default, if the NOPASSWD tag is applied to any of a user's entries for the current host, the user will be able to run “sudo -l” without a password.  Additionally, a user may only run “sudo -v” without a password if all of the user's entries for the current host have the NOPASSWD tag.
 
 ### SETENV and NOSETENV
