Sort sudoers options; based on a diff from Igor Sobrado.

2007-07-26 11:28:45 +00:00
parent d947abaa35
commit b925712f94
1 changed files with 283 additions and 280 deletions
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -475,13 +475,62 @@ B<Flags>:
 =over 12
-=item long_otp_prompt
+=item always_set_home
-When validating with a One Time Password scheme (B<S/Key> or B<OPIE>),
+If set, B<sudo> will set the C<HOME> environment variable to the home
-a two-line prompt is used to make it easier to cut and paste the
+directory of the target user (which is root unless the B<-u> option is used).
-challenge to a local window.  It's not as pretty as the default but
+This effectively means that the B<-H> flag is always implied.
-some people find it more convenient.  This flag is I<@long_otp_prompt@>
+This flag is I<off> by default.
-by default.
+
 =item authenticate
 If set, users must authenticate themselves via a password (or other
 means of authentication) before they may run commands.  This default
 may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
 This flag is I<on> by default.
 =item closefrom_override
 If set, the user may use B<sudo>'s B<-C> option which
 overrides the default starting point at which B<sudo> begins
 closing open file descriptors.  This flag is I<off> by default.
 =item env_editor
 If set, B<visudo> will use the value of the EDITOR or VISUAL
 environment variables before falling back on the default editor list.
 Note that this may create a security hole as it allows the user to
 run any arbitrary command as root without logging.  A safer alternative
 is to place a colon-separated list of editors in the C<editor>
 variable.  B<visudo> will then only use the EDITOR or VISUAL if
 they match a value specified in C<editor>.  This flag is I<@env_editor@> by
 default.
 =item env_reset
 If set, B<sudo> will reset the environment to only contain the
 LOGNAME, SHELL, USER, USERNAME and the C<SUDO_*> variables.  Any
 variables in the caller's environment that match the C<env_keep>
 and C<env_check> lists are then added.  The default contents of the
 C<env_keep> and C<env_check> lists are displayed when B<sudo> is
 run by root with the I<-V> option.  If the I<secure_path> option
 is set, its value will be used for the C<PATH> environment variable.
 This flag is I<on> by default.
 =item fqdn
 Set this flag if you want to put fully qualified hostnames in the
 I<sudoers> file.  I.e., instead of myhost you would use myhost.mydomain.edu.
 You may still use the short form if you wish (and even mix the two).
 Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
 which may make B<sudo> unusable if DNS stops working (for example
 if the machine is not plugged into the network).  Also note that
 you must use the host's official name as DNS knows it.  That is,
 you may not use a host alias (C<CNAME> entry) due to performance
 issues and the fact that there is no way to get all aliases from
 DNS.  If your machine's hostname (as returned by the C<hostname>
 command) is already fully qualified you shouldn't need to set
 I<fqdn>.  This flag is I<@fqdn@> by default.
 =item ignore_dot
@@ -489,6 +538,40 @@ If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
 environment variable; the C<PATH> itself is not modified.  This
 flag is I<@ignore_dot@> by default.
 =item ignore_local_sudoers
 If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped.
 This is intended for Enterprises that wish to prevent the usage of local
 sudoers files so that only LDAP is used.  This thwarts the efforts of
 rogue operators who would attempt to add roles to @sysconfdir@/sudoers.
 When this option is present, @sysconfdir@/sudoers does not even need to exist. 
 Since this option tells B<sudo> how to behave when no specific LDAP entries
 have been matched, this sudoOption is only meaningful for the cn=defaults
 section.  This flag is I<off> by default.
 =item insults
 If set, B<sudo> will insult users when they enter an incorrect
 password.  This flag is I<@insults@> by default.
 =item log_host
 If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
 This flag is I<off> by default.
 =item log_year
 If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
 This flag is I<off> by default.
 =item long_otp_prompt
 When validating with a One Time Password (OPT) scheme such as
 B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
 to cut and paste the challenge to a local window.  It's not as
 pretty as the default but some people find it more convenient.  This
 flag is I<@long_otp_prompt@> by default.
 =item mail_always
 Send mail to the I<mailto> user every time a users runs B<sudo>.
@@ -499,12 +582,6 @@ This flag is I<off> by default.
 Send mail to the I<mailto> user if the user running B<sudo> does not
 enter the correct password.  This flag is I<off> by default.
 =item mail_no_user
 If set, mail will be sent to the I<mailto> user if the invoking
 user is not in the I<sudoers> file.  This flag is I<@mail_no_user@>
 by default.
 =item mail_no_host
 If set, mail will be sent to the I<mailto> user if the invoking
@@ -518,62 +595,28 @@ user is allowed to use B<sudo> but the command they are trying is not
 listed in their I<sudoers> file entry or is explicitly denied.
 This flag is I<@mail_no_perms@> by default.
-=item tty_tickets
+=item mail_no_user
-If set, users must authenticate on a per-tty basis.  Normally,
+If set, mail will be sent to the I<mailto> user if the invoking
-B<sudo> uses a directory in the ticket dir with the same name as
+user is not in the I<sudoers> file.  This flag is I<@mail_no_user@>
-the user running it.  With this flag enabled, B<sudo> will use a
+by default.
 file named for the tty the user is logged in on in that directory.
 This flag is I<@tty_tickets@> by default.
-=item authenticate
+=item monitor
-If set, users must authenticate themselves via a password (or other
+If set, all commands run via B<sudo> will behave as if the C<MONITOR>
-means of authentication) before they may run commands.  This default
+tag has been set, unless overridden by a C<NOMONITOR> tag.  See the
-may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
+description of I<MONITOR and NOMONITOR> below as well as the L<PREVENTING
-This flag is I<on> by default.
+SHELL ESCAPES> section at the end of this manual.  Be aware that
-
+tracing is only supported on certain operating systems.  On systems
-=item root_sudo
+where it is not supported this flag will have no effect.
 If set, root is allowed to run B<sudo> too.  Disabling this prevents users
 from "chaining" B<sudo> commands to get a root shell by doing something
 like C<"sudo sudo /bin/sh">.  Note, however, that turning off I<root_sudo>
 will also prevent root and from running B<sudoedit>.
 Disabling I<root_sudo> provides no real additional security; it
 exists purely for historical reasons.
 This flag is I<@root_sudo@> by default.
 =item log_host
 If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
 This flag is I<off> by default.
-=item log_year
+=item noexec
-If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
+If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
-This flag is I<off> by default.
+tag has been set, unless overridden by a C<EXEC> tag.  See the
-
+description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
-=item shell_noargs
+ESCAPES> section at the end of this manual.  This flag is I<off> by default.
 If set and B<sudo> is invoked with no arguments it acts as if the
 B<-s> flag had been given.  That is, it runs a shell as root (the
 shell is determined by the C<SHELL> environment variable if it is
 set, falling back on the shell listed in the invoking user's
 /etc/passwd entry if not).  This flag is I<off> by default.
 =item set_home
 If set and B<sudo> is invoked with the B<-s> flag the C<HOME>
 environment variable will be set to the home directory of the target
 user (which is root unless the B<-u> option is used).  This effectively
 makes the B<-s> flag imply B<-H>.  This flag is I<off> by default.
 =item always_set_home
 If set, B<sudo> will set the C<HOME> environment variable to the home
 directory of the target user (which is root unless the B<-u> option is used).
 This effectively means that the B<-H> flag is always implied.
 This flag is I<off> by default.
 =item path_info
@@ -594,26 +637,6 @@ user's existing group vector is left unaltered.  The real and
 effective group IDs, however, are still set to match the target
 user.  This flag is I<off> by default.
 =item fqdn
 Set this flag if you want to put fully qualified hostnames in the
 I<sudoers> file.  I.e., instead of myhost you would use myhost.mydomain.edu.
 You may still use the short form if you wish (and even mix the two).
 Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
 which may make B<sudo> unusable if DNS stops working (for example
 if the machine is not plugged into the network).  Also note that
 you must use the host's official name as DNS knows it.  That is,
 you may not use a host alias (C<CNAME> entry) due to performance
 issues and the fact that there is no way to get all aliases from
 DNS.  If your machine's hostname (as returned by the C<hostname>
 command) is already fully qualified you shouldn't need to set
 I<fqdn>.  This flag is I<@fqdn@> by default.
 =item insults
 If set, B<sudo> will insult users when they enter an incorrect
 password.  This flag is I<@insults@> by default.
 =item requiretty
 If set, B<sudo> will only run when the user is logged in to a real
@@ -623,16 +646,15 @@ off echo when there is no tty present, some sites may wish to set
 this flag to prevent a user from entering a visible password.  This
 flag is I<off> by default.
-=item env_editor
+=item root_sudo
-If set, B<visudo> will use the value of the EDITOR or VISUAL
+If set, root is allowed to run B<sudo> too.  Disabling this prevents users
-environment variables before falling back on the default editor list.
+from "chaining" B<sudo> commands to get a root shell by doing something
-Note that this may create a security hole as it allows the user to
+like C<"sudo sudo /bin/sh">.  Note, however, that turning off I<root_sudo>
-run any arbitrary command as root without logging.  A safer alternative
+will also prevent root and from running B<sudoedit>.
-is to place a colon-separated list of editors in the C<editor>
+Disabling I<root_sudo> provides no real additional security; it
-variable.  B<visudo> will then only use the EDITOR or VISUAL if
+exists purely for historical reasons.
-they match a value specified in C<editor>.  This flag is C<@env_editor@> by
+This flag is I<@root_sudo@> by default.
 default.
 =item rootpw
@@ -645,13 +667,12 @@ If set, B<sudo> will prompt for the password of the user defined by the
 I<runas_default> option (defaults to C<@runas_default@>) instead of the
 password of the invoking user.  This flag is I<off> by default.
-=item targetpw
+=item set_home
-If set, B<sudo> will prompt for the password of the user specified by
+If set and B<sudo> is invoked with the B<-s> flag the C<HOME>
-the B<-u> flag (defaults to C<root>) instead of the password of the
+environment variable will be set to the home directory of the target
-invoking user.  Note that this precludes the use of a uid not listed
+user (which is root unless the B<-u> option is used).  This effectively
-in the passwd database as an argument to the B<-u> flag.
+makes the B<-s> flag imply B<-H>.  This flag is I<off> by default.
 This flag is I<off> by default.
 =item set_logname
@@ -663,7 +684,24 @@ determine the real identity of the user, it may be desirable to
 change this behavior.  This can be done by negating the set_logname
 option.  Note that if the I<env_reset> option has not been disabled,
 entries in the I<env_keep> list will override the value of
-I<set_logname>.
+I<set_logname>.  This flag is I<off> by default.
 =item setenv
 Allow the user to disable the I<env_reset> option from the command
 line.  Additionally, environment variables set via the command line
 are not subject to the restrictions imposed by I<env_check>,
 I<env_delete>, or I<env_keep>.  As such, only trusted users should
 be allowed to set variables in this manner.  This flag is I<off>
 by default.
 =item shell_noargs
 If set and B<sudo> is invoked with no arguments it acts as if the
 B<-s> flag had been given.  That is, it runs a shell as root (the
 shell is determined by the C<SHELL> environment variable if it is
 set, falling back on the shell listed in the invoking user's
 /etc/passwd entry if not).  This flag is I<off> by default.
 =item stay_setuid
@@ -674,18 +712,23 @@ user's UID.  In other words, this makes B<sudo> act as a setuid
 wrapper.  This can be useful on systems that disable some potentially
 dangerous functionality when a program is run setuid.  This option
 is only effective on systems with either the setreuid() or setresuid()
-function.
+function.  This flag is I<off> by default.
-=item env_reset
+=item targetpw
-If set, B<sudo> will reset the environment to only contain the
+If set, B<sudo> will prompt for the password of the user specified by
-LOGNAME, SHELL, USER, USERNAME and the C<SUDO_*> variables.  Any
+the B<-u> flag (defaults to C<root>) instead of the password of the
-variables in the caller's environment that match the C<env_keep>
+invoking user.  Note that this precludes the use of a uid not listed
-and C<env_check> lists are then added.  The default contents of the
+in the passwd database as an argument to the B<-u> flag.
-C<env_keep> and C<env_check> lists are displayed when B<sudo> is
+This flag is I<off> by default.
-run by root with the I<-V> option.  If the I<secure_path> option
+
-is set, its -value will be used for the C<PATH> environment variable.
+=item tty_tickets
-This flag is I<on> by default.
+
 If set, users must authenticate on a per-tty basis.  Normally,
 B<sudo> uses a directory in the ticket dir with the same name as
 the user running it.  With this flag enabled, B<sudo> will use a
 file named for the tty the user is logged in on in that directory.
 This flag is I<@tty_tickets@> by default.
 =item use_loginclass
@@ -693,46 +736,20 @@ If set, B<sudo> will apply the defaults specified for the target user's
 login class if one exists.  Only available if B<sudo> is configured with
 the --with-logincap option.  This flag is I<off> by default.
 =item noexec
 If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
 tag has been set, unless overridden by a C<EXEC> tag.  See the
 description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
 ESCAPES> section at the end of this manual.  This flag is I<off> by default.
 =item monitor
 If set, all commands run via B<sudo> will behave as if the C<MONITOR>
 tag has been set, unless overridden by a C<NOMONITOR> tag.  See the
 description of I<MONITOR and NOMONITOR> below as well as the L<PREVENTING
 SHELL ESCAPES> section at the end of this manual.  Be aware that
 tracing is only supported on certain operating systems.  On systems
 where it is not supported this flag will have no effect.
 This flag is I<off> by default.
 =item ignore_local_sudoers
 If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped.
 This is intended for Enterprises that wish to prevent the usage of local
 sudoers files so that only LDAP is used.  This thwarts the efforts of
 rogue operators who would attempt to add roles to @sysconfdir@/sudoers.
 When this option is present, @sysconfdir@/sudoers does not even need to exist. 
 Since this option tells B<sudo> how to behave when no specific LDAP entries
 have been matched, this sudoOption is only meaningful for the cn=defaults
 section.  This flag is I<off> by default.
 =item closefrom_override
 If set, the user may use B<sudo>'s B<-C> option which
 overrides the default starting point at which B<sudo> begins
 closing open file descriptors.  This flag is I<off> by default.
 =back
 B<Integers>:
 =over 12
 =item closefrom
 Before it executes a command, B<sudo> will close all open file
 descriptors other than standard input, standard output and standard
 error (ie: file descriptors 0-2).  The I<closefrom> option can be used
 to specify a different file descriptor at which to start closing.
 The default is C<3>.
 =item passwd_tries
 The number of tries a user gets to enter his/her password before
@@ -751,6 +768,11 @@ to decide when to wrap lines for nicer log files.  This has no
 effect on the syslog log file, only the file log.  The default is
 C<@loglen@> (use 0 or negate the option to disable word wrap).
 =item passwd_timeout
 Number of minutes before the B<sudo> password prompt times out.
 The default is C<@password_timeout@>; set this to C<0> for no password timeout.
 =item timestamp_timeout
 Number of minutes that can elapse before B<sudo> will ask for a
@@ -760,58 +782,42 @@ If set to a value less than C<0> the user's timestamp will never
 expire.  This can be used to allow users to create or delete their
 own timestamps via C<sudo -v> and C<sudo -k> respectively.
 =item passwd_timeout
 Number of minutes before the B<sudo> password prompt times out.
 The default is C<@password_timeout@>, set this to C<0> for no password timeout.
 =item umask
 Umask to use when running the command.  Negate this option or set
 it to 0777 to preserve the user's umask.  The default is C<@sudo_umask@>.
 =item closefrom
 Before it executes a command, B<sudo> will close all open file
 descriptors other than standard input, standard output and standard
 error (ie: file descriptors 0-2).  The I<closefrom> option can be used
 to specify a different file descriptor at which to start closing.
 The default is 3.
 =item setenv
 Allow the user to disable the I<env_reset> option from the command
 line.  Additionally, environment variables set via the command line
 are not subject to the restrictions imposed by I<env_check>,
 I<env_delete>, or I<env_keep>.  As such, only trusted users should
 be allowed to set variables in this manner.
 =back
 B<Strings>:
 =over 12
 =item badpass_message
 Message that is displayed if a user enters an incorrect password.
 The default is C<@badpass_message@> unless insults are enabled.
 =item editor
 A colon (':') separated list of editors allowed to be used with
 B<visudo>.  B<visudo> will choose the editor that matches the user's
 EDITOR environment variable if possible, or the first editor in the
 list that exists and is executable.  The default is the path to vi
 on your system.
 =item mailsub
 Subject of the mail sent to the I<mailto> user. The escape C<%h>
 will expand to the hostname of the machine.
 Default is C<@mailsub@>.
-=item badpass_message
+=item noexec_file
-Message that is displayed if a user enters an incorrect password.
+Path to a shared library containing dummy versions of the execv(),
-The default is C<@badpass_message@> unless insults are enabled.
+execve() and fexecve() library functions that just return an error.
-
+This is used to implement the I<noexec> functionality on systems that
-=item timestampdir
+support C<LD_PRELOAD> or its equivalent.  Defaults to F<@noexec_file@>.
 The directory in which B<sudo> stores its timestamp files.
 The default is F<@timedir@>.
 =item timestampowner
 The owner of the timestamp directory and the timestamps stored therein.
 The default is C<root>.
 =item passprompt
@@ -821,24 +827,24 @@ The following percent (`C<%>') escapes are supported:
 =over 8
-=item C<%u>
+=item C<%H>
-expanded to the invoking user's login name
+expanded to the local hostname including the domain name
 (on if the machine's hostname is fully qualified or the I<fqdn>
 option is set)
 =item C<%h>
 expanded to the local hostname without the domain name
 =item C<%U>
 expanded to the login name of the user the command will
 be run as (defaults to root)
-=item C<%h>
+=item C<%u>
-expanded to the local hostname without the domain name
+expanded to the invoking user's login name
 =item C<%H>
 expanded to the local hostname including the domain name
 (on if the machine's hostname is fully qualified or the I<fqdn>
 option is set)
 =item C<%%>
@@ -855,30 +861,25 @@ on the command line.  This defaults to C<@runas_default@>.
 Note that if I<runas_default> is set it B<must> occur before
 any C<Runas_Alias> specifications.
 =item syslog_goodpri
 Syslog priority to use when user authenticates successfully.
 Defaults to C<@goodpri@>.
 =item syslog_badpri
 Syslog priority to use when user authenticates unsuccessfully.
 Defaults to C<@badpri@>.
-=item editor
+=item syslog_goodpri
-A colon (':') separated list of editors allowed to be used with
+Syslog priority to use when user authenticates successfully.
-B<visudo>.  B<visudo> will choose the editor that matches the user's
+Defaults to C<@goodpri@>.
 EDITOR environment variable if possible, or the first editor in the
 list that exists and is executable.  The default is the path to vi
 on your system.
-=item noexec_file
+=item timestampdir
-Path to a shared library containing dummy versions of the execv(),
+The directory in which B<sudo> stores its timestamp files.
-execve() and fexecve() library functions that just return an error.
+The default is F<@timedir@>.
-This is used to implement the I<noexec> functionality on systems that
+
-support C<LD_PRELOAD> or its equivalent.  Defaults to F<@noexec_file@>.
+=item timestampowner
 The owner of the timestamp directory and the timestamps stored therein.
 The default is C<root>.
 =back
@@ -886,6 +887,11 @@ B<Strings that can be used in a boolean context>:
 =over 12
 =item exempt_group
 Users in this group are exempt from password and PATH requirements.
 This is not set by default.
 =item lecture
 This option controls when a short lecture will be printed along with
@@ -893,6 +899,10 @@ the password prompt.  It has the following possible values:
 =over 8
 =item always
 Always lecture the user.
 =item never
 Never lecture the user.
@@ -901,10 +911,6 @@ Never lecture the user.
 Only lecture the user the first time they run B<sudo>.
 =item always
 Always lecture the user.
 =back
 If no value is specified, a value of I<once> is implied.
@@ -915,76 +921,7 @@ The default value is I<@lecture@>.
 Path to a file containing an alternate B<sudo> lecture that will
 be used in place of the standard lecture if the named file exists.
-
+By default, B<sudo> uses a built-in lecture.
 =item logfile
 Path to the B<sudo> log file (not the syslog log file).  Setting a path
 turns on logging to a file; negating this option turns it off.
 =item syslog
 Syslog facility if syslog is being used for logging (negate to
 disable syslog logging).  Defaults to C<@logfac@>.
 =item mailerpath
 Path to mail program used to send warning mail.
 Defaults to the path to sendmail found at configure time.
 =item mailerflags
 Flags to use when invoking mailer. Defaults to B<-t>.
 =item mailto
 Address to send warning and error mail to.  The address should
 be enclosed in double quotes (C<">) to protect against B<sudo>
 interpreting the C<@> sign.  Defaults to C<@mailto@>.
 =item exempt_group
 Users in this group are exempt from password and PATH requirements.
 This is not set by default.
 =item secure_path
 Path used for every command run from B<sudo>.  If you don't trust the
 people running B<sudo> to have a sane C<PATH> environment variable you may
 want to use this.  Another use is if you want to have the "root path"
 be separate from the "user path."  Users in the group specified by the
 I<exempt_group> option are not affected by I<secure_path>.
 This is not set by default.
 =item verifypw
 This option controls when a password will be required when a user runs
 B<sudo> with the B<-v> flag.  It has the following possible values:
 =over 8
 =item all
 All the user's I<sudoers> entries for the current host must have
 the C<NOPASSWD> flag set to avoid entering a password.
 =item any
 At least one of the user's I<sudoers> entries for the current host
 must have the C<NOPASSWD> flag set to avoid entering a password.
 =item never
 The user need never enter a password to use the B<-v> flag.
 =item always
 The user must always enter a password to use the B<-v> flag.
 =back
 If no value is specified, a value of I<all> is implied.
 Negating the option results in a value of I<never> being used.
 The default value is I<all>.
 =item listpw
@@ -998,6 +935,10 @@ user runs B<sudo> with the B<-l> flag.  It has the following possible values:
 All the user's I<sudoers> entries for the current host must have
 the C<NOPASSWD> flag set to avoid entering a password.
 =item always
 The user must always enter a password to use the B<-l> flag.
 =item any
 At least one of the user's I<sudoers> entries for the current host
@@ -1007,16 +948,78 @@ must have the C<NOPASSWD> flag set to avoid entering a password.
 The user need never enter a password to use the B<-l> flag.
 =item always
 The user must always enter a password to use the B<-l> flag.
 =back
 If no value is specified, a value of I<any> is implied.
 Negating the option results in a value of I<never> being used.
 The default value is I<any>.
 =item logfile
 Path to the B<sudo> log file (not the syslog log file).  Setting a path
 turns on logging to a file; negating this option turns it off.
 By default, B<sudo> logs via syslog.
 =item mailerflags
 Flags to use when invoking mailer. Defaults to B<-t>.
 =item mailerpath
 Path to mail program used to send warning mail.
 Defaults to the path to sendmail found at configure time.
 =item mailto
 Address to send warning and error mail to.  The address should
 be enclosed in double quotes (C<">) to protect against B<sudo>
 interpreting the C<@> sign.  Defaults to C<@mailto@>.
 =item secure_path
 Path used for every command run from B<sudo>.  If you don't trust the
 people running B<sudo> to have a sane C<PATH> environment variable you may
 want to use this.  Another use is if you want to have the "root path"
 be separate from the "user path."  Users in the group specified by the
 I<exempt_group> option are not affected by I<secure_path>.
 This is not set by default.
 =item syslog
 Syslog facility if syslog is being used for logging (negate to
 disable syslog logging).  Defaults to C<@logfac@>.
 =item verifypw
 This option controls when a password will be required when a user runs
 B<sudo> with the B<-v> flag.  It has the following possible values:
 =over 8
 =item all
 All the user's I<sudoers> entries for the current host must have
 the C<NOPASSWD> flag set to avoid entering a password.
 =item always
 The user must always enter a password to use the B<-v> flag.
 =item any
 At least one of the user's I<sudoers> entries for the current host
 must have the C<NOPASSWD> flag set to avoid entering a password.
 =item never
 The user need never enter a password to use the B<-v> flag.
 =back
 If no value is specified, a value of I<all> is implied.
 Negating the option results in a value of I<never> being used.
 The default value is I<all>.
 =back
 B<Lists that can be used in a boolean context>: