=over 16
-=item always_set_home
+=item mail_badpass
-If set, B<sudo> will set the C<HOME> environment variable to the home
-directory of the target user (which is root unless the B<-u> option is used).
-This effectively means that the B<-H> flag is always implied.
-This flag is I<off> by default.
+Send mail to the I<mailto> user if the user running B<sudo> does not
+enter the correct password. This flag is I<off> by default.
+
+=item mail_no_host
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user exists in the I<sudoers> file, but is not allowed to run
+commands on the current host. This flag is I<@mail_no_host@> by default.
+
+=item mail_no_perms
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user is allowed to use B<sudo> but the command they are trying is not
+listed in their I<sudoers> file entry or is explicitly denied.
+This flag is I<@mail_no_perms@> by default.
+
+=item mail_no_user
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
+by default.
+
+=item noexec
+
+If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
+tag has been set, unless overridden by a C<EXEC> tag. See the
+description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
+ESCAPES> section at the end of this manual. This flag is I<off> by default.
=item authenticate
I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
-which may make affect B<sudo> performance if DNS stops working (for example
-if the machine is not plugged into the network). The default behavior for
-Debian has been modified to minimize the potential of a problem, but there
-may still be some cases in which lack of working DNS might make sudo work
-very slowly. Also note that
+which may make B<sudo> unusable if DNS stops working (for example
+if the machine is not plugged into the network). Also note that
you must use the host's official name as DNS knows it. That is,
you may not use a host alias (C<CNAME> entry) due to performance
issues and the fact that there is no way to get all aliases from
=item env_check
-Like I<env_keep>, but listed environment variables are taken from the user's environment if
-the variable's value does B<not> contain C<%> or C</> characters. This can
+Environment variables to be removed from the user's environment if
+the variable's value contains C<%> or C</> characters. This can
be used to guard against printf-style format vulnerabilities in
poorly-written programs. The argument may be a double-quoted,
space-separated list or a single value without double-quotes. The
the C<Host_Alias>, C<User_Alias>, and C<Cmnd_Alias> specifications
come first, followed by any C<Default_Entry> lines, and finally the
C<Runas_Alias> and user specifications. The basic rule of thumb
-is that you cannot reference an Alias that has not already been defined.
+is you cannot reference an Alias that has not already been defined.
+
+Below are example I<sudoers> entries. Admittedly, some of
+these are a bit contrived. First, we define our I<aliases>:
Below are example I<sudoers> entries. Admittedly, some of
these are a bit contrived. First, we allow a few environment
projects / debian / sudo / blobdiff