list of groups the target user is a member of.  The real and
               effective group‐IDs, however, are still set to match the  target
               user.

       -p prompt, -‐prompt=prompt
               Use  a  custom  password  prompt with optional escape sequences.
               The following percent (‘%’) escape sequences  are  supported  by
               the sudoers policy:

               %H  expanded to the host name including the domain name (only if
                   the  machine’s  host name is fully qualified or the fqdn op‐
                   tion is set in sudoers(5))

               %h  expanded to the local host name without the domain name

               %p  expanded to the name of the user whose password is being re‐
                   quested (respects the rootpw, targetpw, and runaspw flags in
                   sudoers(5))

               %U  expanded to the login name of the user the command  will  be
                   run as (defaults to root unless the -u option is also speci‐
                   fied)

               %u  expanded to the invoking user’s login name

               %%  two  consecutive  ‘%’ characters are collapsed into a single
                   ‘%’ character

               The custom prompt will override the default prompt specified  by
               either  the security policy or the SUDO_PROMPT environment vari‐
               able.  On systems that use PAM,  the  custom  prompt  will  also
               override  the  prompt  specified  by  a  PAM  module  unless the
               passprompt_override flag is disabled in sudoers.

       -R directory, -‐chroot=directory
               Change to the specified root directory  (see  chroot(8))  before
               running the command.  The security policy may return an error if
               the user does not have permission to specify the root directory.

       -r role, -‐role=role
               Run  the  command with an SELinux security context that includes
               the specified role.

       -S, -‐stdin
               Write the prompt to the standard error  and  read  the  password
               from the standard input instead of using the terminal device.

       -s, -‐shell
               Run  the shell specified by the SHELL environment variable if it
               is set or the shell specified by the  invoking  user’s  password
               database  entry.  If a command is specified, it is passed to the
               shell as a simple command using the -c option.  The command  and
               any  args  are concatenated, separated by spaces, after escaping
               each character (including white space) with  a  backslash  (‘\’)
               except  for  alphanumerics,  underscores,  hyphens,  and  dollar
               signs.  If no command is specified, an interactive shell is exe‐
               cuted.  Most shells behave differently when a command is  speci‐
               fied  as compared to an interactive session; consult the shell’s
               manual for details.

       -t type, -‐type=type
               Run the command with an SELinux security context  that  includes
               the  specified  type.  If no type is specified, the default type
               is derived from the role.

       -U user, -‐other‐user=user
               Used in conjunction with the -l option to  list  the  privileges
               for  user instead of for the invoking user.  The security policy
               may restrict listing other users’ privileges.   When  using  the
               sudoers policy, the -U option is restricted to the root user and
               users  with either the “list” priviege for the specified user or
               the ability to run any command as root or user  on  the  current
               host.

       -T timeout, -‐command‐timeout=timeout
               Used  to  set a timeout for the command.  If the timeout expires
               before the command has