diff --git a/TODO b/TODO
new file mode 100644
index 0000000..207d22a
--- /dev/null
+++ b/TODO
@@ -0,0 +1,5 @@
+- Modify the following environment variables: (listed in environ(7))
+	* USER -> to target user
+	* LOGNAME -> to target user
+	* SHELL -> to the target user's SHELL
+	* HOME -> to the target user's HOME
diff --git a/config.template b/config.template
new file mode 100644
index 0000000..af339c8
--- /dev/null
+++ b/config.template
@@ -0,0 +1,96 @@
+SECURITY CONSIDERATIONS
+=======================
+
+1. commands must be given by absolute path, that's because if you do otherwise
+	nopassword commands could be hijacked:
+
+	in the config:
+		nopass badguy as root cmd zzz
+	in the shell:
+		~ $ export PATH=/home/badguy/test:$PATH
+		~ $ mkdir test
+		~ $ printf '#!/bin/sh\nrm -rf --no-preserve-root' > test/zzz
+		~ $ chmod +x test/zzz
+		~ $ us zzz  #this deletes the filesystem without password!
+
+IDEA 1
+======
+
+# this is a comment
+# rules are goruped by user/group
+# rules are structured somewhat like json, example:
+
+# Only 'command' is allowed to run without a password, all the rest is blocked
+ale {
+	allow {
+		command nopass
+	}
+
+	deny {
+		/.*/
+	}
+}
+
+IDEA 2 - THE DOAS WAY
+=====================
+
+# this is a comment
+# every line is a rule
+# rules are structured like this:
+
+permit|deny [options] identity [as target] [cmd command [args ...]]
+
+# look at doas.conf(5) for more information
+
+IDEA 2-3
+========
+
+# reverse-doas way
+-> identity permit|deny [command [args ...]] [options]
+
+# but how would I distinguish between command and options? 
+-> identity [options] permit|deny [command [args ...]]
+
+# spaces are not a very good separatow when in comes to commands
+-> identity,[options],permit|deny,[command [args ...]]
+
+#
+# this is kinda similar to a crontab, basically options are required
+#
+
+  # config structure:
+  -> identity options as action [command [args ...]]
+        ^        ^     ^   ^
+     can be *    |     | permit, deny  
+     can be nil (NULL) |
+                     can be *
+  
+  # permit user "ale" to execute command "shutdown" as root without password:
+    -> ale nopass root permit shutdown
+  # permit members of the wheel group to execute any comands as any user:
+    -> :wheel nil * permit
+  # deny users of the wheel group to execute commands that begin with "sys":
+  # this could be circumvented by having the command inside a shell script
+    -> :wheel nil * deny /sys.*/
+  # deny all users to execute all comands as any other user
+    -> * nil * deny
+#
+# let's scramble things up to make more sense
+#
+     [action] options identity as [command [args ...]]
+        ^        ^      ^    ^
+        |        |  can both be * (any)  
+        |  can be none, comma separated
+      none: permit
+      '!': deny (negate rule)
+
+  # allow users of the wheel group to execute any command as root:
+    -> none :wheel root
+  # deny all users to execute commands that start with "sys"
+    -> ! none * * /sys.*/
+
+IDEA 3 - THE SUCKLESS WAY
+=========================
+
+configuration should happen inside a source file called config.h, to apply
+changes to the configuration the program has to be recompiled