Use the Oxford comma consistently, it is helpful in technical documents.

docs/cvtsudoers.man.in

@@ -2,7 +2,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2018, 2021 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2018, 2021-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "CVTSUDOERS" "1" "December 16, 2021" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
+.TH "CVTSUDOERS" "1" "January 19, 2022" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -99,7 +99,7 @@ All Defaults entries.
 .TP 10n
 global
 Global Defaults entries that are applied regardless of
-user, runas, host or command.
+user, runas, host, or command.
 .TP 10n
 user
 Per-user Defaults entries.
@@ -172,12 +172,12 @@ Conversion to LDIF has the following limitations:
 .PD 0
 .TP 3n
 \fB\(bu\fR
-Command, host, runas and user-specific Defaults lines cannot be
+Command, host, runas, and user-specific Defaults lines cannot be
 translated as they don't have an equivalent in the sudoers LDAP schema.
 .PD
 .TP 3n
 \fB\(bu\fR
-Command, host, runas and user aliases are not supported by the
+Command, host, runas, and user aliases are not supported by the
 sudoers LDAP schema so they are expanded during the conversion.
 .PD 0
 .PP
@@ -272,10 +272,10 @@ or
 .sp
 A matching
 \fIsudoers\fR
-rule may also include users, groups and hosts that are not part of the
+rule may also include users, groups, and hosts that are not part of the
 \fIfilter\fR.
-This can happen when a rule includes multiple users, groups or hosts.
+This can happen when a rule includes multiple users, groups, or hosts.
-To prune out any non-matching user, group or host from the rules, the
+To prune out any non-matching user, group, or host from the rules, the
 \fB\-p\fR
 option may be used.
 .sp
@@ -338,7 +338,7 @@ When the
 \fB\-m\fR
 option is also specified,
 \fBcvtsudoers\fR
-will prune out non-matching users, groups and hosts from
+will prune out non-matching users, groups, and hosts from
 matching entries.
 .TP 12n
 \fB\-P\fR \fIpadding\fR, \fB\--padding\fR=\fIpadding\fR
@@ -428,7 +428,7 @@ each conflict.
 If a host name is specified with the input file,
 \fBcvtsudoers\fR
 will change the global Defaults settings in that file to be host-specific.
-A warning is emitted for command, user or runas-specific Defaults settings
+A warning is emitted for command, user, or runas-specific Defaults settings
 which cannot be made host-specific.
 .TP 3n
 \fB\(bu\fR

docs/cvtsudoers.mdoc.in

@@ -1,7 +1,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2018, 2021 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2018, 2021-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd December 16, 2021
+.Dd January 19, 2022
 .Dt CVTSUDOERS 1
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -90,7 +90,7 @@ The supported types are:
 All Defaults entries.
 .It global
 Global Defaults entries that are applied regardless of
-user, runas, host or command.
+user, runas, host, or command.
 .It user
 Per-user Defaults entries.
 .It runas
@@ -148,10 +148,10 @@ server for use with
 Conversion to LDIF has the following limitations:
 .Bl -bullet -width 1n
 .It
-Command, host, runas and user-specific Defaults lines cannot be
+Command, host, runas, and user-specific Defaults lines cannot be
 translated as they don't have an equivalent in the sudoers LDAP schema.
 .It
-Command, host, runas and user aliases are not supported by the
+Command, host, runas, and user aliases are not supported by the
 sudoers LDAP schema so they are expanded during the conversion.
 .El
 .It sudoers
@@ -225,10 +225,10 @@ or
 .Pp
 A matching
 .Em sudoers
-rule may also include users, groups and hosts that are not part of the
+rule may also include users, groups, and hosts that are not part of the
 .Ar filter .
-This can happen when a rule includes multiple users, groups or hosts.
+This can happen when a rule includes multiple users, groups, or hosts.
-To prune out any non-matching user, group or host from the rules, the
+To prune out any non-matching user, group, or host from the rules, the
 .Fl p
 option may be used.
 .Pp
@@ -286,7 +286,7 @@ When the
 .Fl m
 option is also specified,
 .Nm
-will prune out non-matching users, groups and hosts from
+will prune out non-matching users, groups, and hosts from
 matching entries.
 .It Fl P Ar padding , Fl -padding Ns = Ns Ar padding
 When generating LDIF output, construct the initial sudoOrder value by
@@ -372,7 +372,7 @@ each conflict.
 If a host name is specified with the input file,
 .Nm
 will change the global Defaults settings in that file to be host-specific.
-A warning is emitted for command, user or runas-specific Defaults settings
+A warning is emitted for command, user, or runas-specific Defaults settings
 which cannot be made host-specific.
 .It
 Per-user rules are merged and duplicates are removed.

docs/sudo.conf.man.in

@@ -2,7 +2,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2010-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2010-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .nr SL @SEMAN@
-.TH "SUDO.CONF" "@mansectform@" "September 17, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO.CONF" "@mansectform@" "January 19, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -29,15 +29,15 @@ The
 file is used to configure the
 \fBsudo\fR
 front-end.
-It specifies the security policy and I/O logging plugins, debug flags
+It is used to configure sudo plugins, plugin-agnostic path names,
-as well as plugin-agnostic path names and settings.
+debug flags, and other settings.
 .PP
 The
 \fBsudo.conf\fR
 file supports the following directives, described in detail below.
 .TP 10n
 Plugin
-an approval, audit, I/O logging or security policy plugin
+an approval, audit, I/O logging, or security policy plugin
 .TP 10n
 Path
 a plugin-agnostic path
@@ -186,7 +186,7 @@ file is present, or if it contains no
 lines, the
 \fBsudoers\fR
 plugin will be used as the default security policy, for I/O logging
-(if enabled by the policy) and for auditing.
+(if enabled by the policy), and for auditing.
 This is equivalent to the following:
 .nf
 .sp
@@ -493,7 +493,7 @@ Currently,
 \fBsudo\fR
 supports efficient group queries on AIX,
 BSD,
-HP-UX, Linux, macOS and Solaris.
+HP-UX, Linux, macOS, and Solaris.
 This is the default behavior on macOS in
 \fBsudo\fR
 1.9.6 and higher.
@@ -572,13 +572,13 @@ A
 \fRDebug\fR
 line consists of the
 \fRDebug\fR
-keyword, followed by the name of the program, plugin or shared object to debug,
+keyword, followed by the name of the program, plugin, or shared object
-the debug file name and a comma-separated list of debug flags.
+to debug, the debug file name, and a comma-separated list of debug flags.
 The debug flag syntax used by
 \fBsudo\fR,
 the
 \fBsudoers\fR
-plugin and its associated programs and shared objects is
+plugin along with its associated programs and shared objects is
 \fIsubsystem\fR@\fIpriority\fR
 but a third-party plugin is free to use a different format so long
 as it does not include a comma
@@ -637,7 +637,7 @@ entry as the
 front-end and could not be configured separately.
 .PP
 The following priorities are supported, in order of decreasing severity:
-\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
+\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR,
 and
 \fIdebug\fR.
 Each priority, when specified, also includes all priorities higher
@@ -667,7 +667,7 @@ sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
 .PP
 When the function is entered, indicated by a right arrow
 \(oq->\(cq,
-the program, process ID, function, source file and line number
+the program, process ID, function, source file, and line number
 are logged.
 When the function returns, indicated by a left arrow
 \(oq<-\(cq,
@@ -863,10 +863,10 @@ front-end configuration
 #   Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
 #
 # Sudo and related programs support logging debug information to a file.
-# The program is typically sudo, sudoers.so, sudoreplay or visudo.
+# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
 #
 # Subsystems vary based on the program; "all" matches all subsystems.
-# Priority may be crit, err, warn, notice, diag, info, trace or debug.
+# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
 # Multiple subsystem@priority may be specified, separated by a comma.
 #
 #Debug sudo /var/log/sudo_debug all@debug

docs/sudo.conf.mdoc.in

@@ -1,7 +1,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2010-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2010-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .nr SL @SEMAN@
-.Dd September 17, 2021
+.Dd January 19, 2022
 .Dt SUDO.CONF @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -28,15 +28,15 @@ The
 file is used to configure the
 .Nm sudo
 front-end.
-It specifies the security policy and I/O logging plugins, debug flags
+It is used to configure sudo plugins, plugin-agnostic path names,
-as well as plugin-agnostic path names and settings.
+debug flags, and other settings.
 .Pp
 The
 .Nm
 file supports the following directives, described in detail below.
 .Bl -tag -width 8n
 .It Plugin
-an approval, audit, I/O logging or security policy plugin
+an approval, audit, I/O logging, or security policy plugin
 .It Path
 a plugin-agnostic path
 .It Set
@@ -171,7 +171,7 @@ file is present, or if it contains no
 lines, the
 .Nm sudoers
 plugin will be used as the default security policy, for I/O logging
-(if enabled by the policy) and for auditing.
+(if enabled by the policy), and for auditing.
 This is equivalent to the following:
 .Bd -literal -offset indent
 Plugin sudoers_policy sudoers.so
@@ -453,7 +453,7 @@ Currently,
 .Nm sudo
 supports efficient group queries on AIX,
 .Bx ,
-HP-UX, Linux, macOS and Solaris.
+HP-UX, Linux, macOS, and Solaris.
 This is the default behavior on macOS in
 .Nm sudo
 1.9.6 and higher.
@@ -522,13 +522,13 @@ A
 .Li Debug
 line consists of the
 .Li Debug
-keyword, followed by the name of the program, plugin or shared object to debug,
+keyword, followed by the name of the program, plugin, or shared object
-the debug file name and a comma-separated list of debug flags.
+to debug, the debug file name, and a comma-separated list of debug flags.
 The debug flag syntax used by
 .Nm sudo ,
 the
 .Nm sudoers
-plugin and its associated programs and shared objects is
+plugin along with its associated programs and shared objects is
 .Em subsystem Ns @ Ns Em priority
 but a third-party plugin is free to use a different format so long
 as it does not include a comma
@@ -581,7 +581,7 @@ entry as the
 front-end and could not be configured separately.
 .Pp
 The following priorities are supported, in order of decreasing severity:
-.Em crit , err , warn , notice , diag , info , trace
+.Em crit , err , warn , notice , diag , info , trace ,
 and
 .Em debug .
 Each priority, when specified, also includes all priorities higher
@@ -608,7 +608,7 @@ sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
 .Pp
 When the function is entered, indicated by a right arrow
 .Ql -> ,
-the program, process ID, function, source file and line number
+the program, process ID, function, source file, and line number
 are logged.
 When the function returns, indicated by a left arrow
 .Ql <- ,
@@ -792,10 +792,10 @@ front-end configuration
 #   Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
 #
 # Sudo and related programs support logging debug information to a file.
-# The program is typically sudo, sudoers.so, sudoreplay or visudo.
+# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
 #
 # Subsystems vary based on the program; "all" matches all subsystems.
-# Priority may be crit, err, warn, notice, diag, info, trace or debug.
+# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
 # Multiple subsystem@priority may be specified, separated by a comma.
 #
 #Debug sudo /var/log/sudo_debug all@debug

docs/sudo.man.in

@@ -2,7 +2,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2021
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2022
 .\"	Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDO" "@mansectsu@" "December 11, 2021" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO" "@mansectsu@" "January 19, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -108,10 +108,10 @@ user-ID is used to determine the user name with which
 to query the security policy.
 .PP
 \fBsudo\fR
-supports a plugin architecture for security policies and input/output
+supports a plugin architecture for security policies, auditing,
-logging.
+and input/output logging.
-Third parties can develop and distribute their own policy and I/O
+Third parties can develop and distribute their own plugins to work
-logging plugins to work seamlessly with the
+seamlessly with the
 \fBsudo\fR
 front-end.
 The default security policy is
@@ -178,7 +178,8 @@ the
 \fB\-e\fR
 option (described below), is implied.
 .PP
-Security policies may log successful and failed attempts to use
+Security policies and audit plugins may log successful and failed attempts
+to run
 \fBsudo\fR.
 If an I/O plugin is configured, the running command's input and
 output may be logged as well.
@@ -255,7 +256,7 @@ Values less than three are not permitted.
 By default,
 \fBsudo\fR
 will close all open file descriptors other than standard input,
-standard output and standard error when executing a command.
+standard output, and standard error when executing a command.
 The security policy may restrict the user's ability to use this option.
 The
 \fIsudoers\fR
@@ -444,7 +445,7 @@ Run the shell specified by the target user's password database entry
 as a login shell.
 This means that login-specific resource files such as
 \fI.profile\fR,
-\fI.bash_profile\fR
+\fI.bash_profile\fR,
 or
 \fI.login\fR
 will be read by the shell.
@@ -484,7 +485,7 @@ When used without a command, invalidates the user's cached credentials.
 In other words, the next time
 \fBsudo\fR
 is run a password will be required.
-This option does not require a password and was added to allow a
+This option does not require a password, and was added to allow a
 user to revoke
 \fBsudo\fR
 permissions from a
@@ -551,7 +552,7 @@ policy:
 .PD 0
 .TP 4n
 \fR%H\fR
-expanded to the host name including the domain name (on if the
+expanded to the host name including the domain name (only if the
 machine's host name is fully qualified or the
 \fIfqdn\fR
 option is set in
@@ -693,13 +694,12 @@ Other security policies may not support this.
 \fB\-V\fR, \fB\--version\fR
 Print the
 \fBsudo\fR
-version string as well as the version string of the security
+version string as well as the version string of any configured plugins.
-policy plugin and any I/O plugins.
+If the invoking user is already root, the
-If the invoking user is already root the
 \fB\-V\fR
 option will display the arguments passed to configure when
 \fBsudo\fR
-was built and plugins may display more verbose information such as
+was built; plugins may display additional information such as
 default options.
 .TP 12n
 \fB\-v\fR, \fB\--validate\fR
@@ -867,7 +867,8 @@ first.
 The
 \fIsudoers\fR
 policy plugin will only define a close function when I/O logging
-is enabled, a pty is required, or the
+is enabled, a pty is required, an SELinux role is specified, the
+command has an associated timeout, or the
 \fIpam_session\fR
 or
 \fIpam_setcred\fR
@@ -948,7 +949,7 @@ family of functions instead of
 If no I/O logging plugins are loaded and the policy plugin has not
 defined a
 \fBclose\fR()
-function, set a command timeout or required that the command be
+function, set a command timeout, or required that the command be
 run in a new pty,
 \fBsudo\fR
 may execute the command directly instead of running it as a child process.
@@ -970,7 +971,7 @@ lines,
 \fBsudo\fR
 will use
 sudoers(@mansectform@)
-for the policy, auditing and I/O logging plugins.
+for the policy, auditing, and I/O logging plugins.
 See the
 sudo.conf(@mansectform@)
 manual for details of the
@@ -1001,7 +1002,7 @@ option, the exit value will only be 0 if the command is permitted by the
 security policy, otherwise it will be 1.
 .PP
 If there is an authentication failure, a configuration/permission
-problem or if the given command cannot be executed,
+problem, or if the given command cannot be executed,
 \fBsudo\fR
 exits with a value of 1.
 In the latter case, the error string is printed to the standard error.
@@ -1114,7 +1115,7 @@ is set.
 \fRMAIL\fR
 Set to the mail spool of the target user when the
 \fB\-i\fR
-option is specified or when
+option is specified, or when
 \fIenv_reset\fR
 is enabled in
 \fIsudoers\fR
@@ -1155,7 +1156,7 @@ Set to the login name of the target user when the
 option is specified, when the
 \fIset_logname\fR
 option is enabled in
-\fIsudoers\fR
+\fIsudoers\fR,
 or when the
 \fIenv_reset\fR
 option is enabled in

docs/sudo.mdoc.in

@@ -1,7 +1,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2021
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2022
 .\"	Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd December 11, 2021
+.Dd January 19, 2022
 .Dt SUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -112,10 +112,10 @@ user-ID is used to determine the user name with which
 to query the security policy.
 .Pp
 .Nm
-supports a plugin architecture for security policies and input/output
+supports a plugin architecture for security policies, auditing,
-logging.
+and input/output logging.
-Third parties can develop and distribute their own policy and I/O
+Third parties can develop and distribute their own plugins to work
-logging plugins to work seamlessly with the
+seamlessly with the
 .Nm
 front-end.
 The default security policy is
@@ -182,7 +182,8 @@ the
 .Fl e
 option (described below), is implied.
 .Pp
-Security policies may log successful and failed attempts to use
+Security policies and audit plugins may log successful and failed attempts
+to run
 .Nm .
 If an I/O plugin is configured, the running command's input and
 output may be logged as well.
@@ -250,7 +251,7 @@ Values less than three are not permitted.
 By default,
 .Nm
 will close all open file descriptors other than standard input,
-standard output and standard error when executing a command.
+standard output, and standard error when executing a command.
 The security policy may restrict the user's ability to use this option.
 The
 .Em sudoers
@@ -421,7 +422,7 @@ Run the shell specified by the target user's password database entry
 as a login shell.
 This means that login-specific resource files such as
 .Pa .profile ,
-.Pa .bash_profile
+.Pa .bash_profile ,
 or
 .Pa .login
 will be read by the shell.
@@ -459,7 +460,7 @@ When used without a command, invalidates the user's cached credentials.
 In other words, the next time
 .Nm
 is run a password will be required.
-This option does not require a password and was added to allow a
+This option does not require a password, and was added to allow a
 user to revoke
 .Nm
 permissions from a
@@ -519,7 +520,7 @@ escape sequences are supported by the
 policy:
 .Bl -tag -width 2n
 .It Li %H
-expanded to the host name including the domain name (on if the
+expanded to the host name including the domain name (only if the
 machine's host name is fully qualified or the
 .Em fqdn
 option is set in
@@ -646,13 +647,12 @@ Other security policies may not support this.
 .It Fl V , -version
 Print the
 .Nm
-version string as well as the version string of the security
+version string as well as the version string of any configured plugins.
-policy plugin and any I/O plugins.
+If the invoking user is already root, the
-If the invoking user is already root the
 .Fl V
 option will display the arguments passed to configure when
 .Nm
-was built and plugins may display more verbose information such as
+was built; plugins may display additional information such as
 default options.
 .It Fl v , -validate
 Update the user's cached credentials, authenticating the user
@@ -808,7 +808,8 @@ first.
 The
 .Em sudoers
 policy plugin will only define a close function when I/O logging
-is enabled, a pty is required, or the
+is enabled, a pty is required, an SELinux role is specified, the
+command has an associated timeout, or the
 .Em pam_session
 or
 .Em pam_setcred
@@ -889,7 +890,7 @@ family of functions instead of
 If no I/O logging plugins are loaded and the policy plugin has not
 defined a
 .Fn close
-function, set a command timeout or required that the command be
+function, set a command timeout, or required that the command be
 run in a new pty,
 .Nm
 may execute the command directly instead of running it as a child process.
@@ -911,7 +912,7 @@ lines,
 .Nm
 will use
 .Xr sudoers @mansectform@
-for the policy, auditing and I/O logging plugins.
+for the policy, auditing, and I/O logging plugins.
 See the
 .Xr sudo.conf @mansectform@
 manual for details of the
@@ -942,7 +943,7 @@ option, the exit value will only be 0 if the command is permitted by the
 security policy, otherwise it will be 1.
 .Pp
 If there is an authentication failure, a configuration/permission
-problem or if the given command cannot be executed,
+problem, or if the given command cannot be executed,
 .Nm
 exits with a value of 1.
 In the latter case, the error string is printed to the standard error.
@@ -1051,7 +1052,7 @@ is set.
 .It Ev MAIL
 Set to the mail spool of the target user when the
 .Fl i
-option is specified or when
+option is specified, or when
 .Em env_reset
 is enabled in
 .Em sudoers
@@ -1090,7 +1091,7 @@ Set to the login name of the target user when the
 option is specified, when the
 .Em set_logname
 option is enabled in
-.Em sudoers
+.Em sudoers ,
 or when the
 .Em env_reset
 option is enabled in

docs/sudo_logsrv.proto.man.in

@@ -2,7 +2,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2019-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_LOGSRV.PROTO" "@mansectform@" "August 3, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO_LOGSRV.PROTO" "@mansectform@" "January 19, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -124,7 +124,7 @@ An
 is used to represent information about the invoking user as well as the
 execution environment the command runs in the form of key-value pairs.
 The key is always a string but the value may be a 64-bit integer,
-a string, an array of strings or an array of 64-bit integers.
+a string, an array of strings, or an array of 64-bit integers.
 The event log data is composed of
 \fIInfoMessage\fR
 entries.
@@ -361,7 +361,7 @@ message IoBuffer {
 An
 \fIIoBuffer\fR
 is used to represent data from terminal input, terminal
-output, standard input, standard output or standard error.
+output, standard input, standard output, or standard error.
 It contains the following members:
 .TP 8n
 delay
@@ -373,7 +373,7 @@ should be calculated using a monotonic clock where possible.
 .TP 8n
 data
 The binary I/O log data from terminal input, terminal output,
-standard input, standard output or standard error.
+standard input, standard output, or standard error.
 .SS "ChangeWindowSize winsize_event"
 .nf
 .RS 0n

docs/sudo_logsrv.proto.mdoc.in

@@ -1,7 +1,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2019-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd August 3, 2021
+.Dd January 19, 2022
 .Dt SUDO_LOGSRV.PROTO @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -116,7 +116,7 @@ An
 is used to represent information about the invoking user as well as the
 execution environment the command runs in the form of key-value pairs.
 The key is always a string but the value may be a 64-bit integer,
-a string, an array of strings or an array of 64-bit integers.
+a string, an array of strings, or an array of 64-bit integers.
 The event log data is composed of
 .Em InfoMessage
 entries.
@@ -334,7 +334,7 @@ message IoBuffer {
 An
 .Em IoBuffer
 is used to represent data from terminal input, terminal
-output, standard input, standard output or standard error.
+output, standard input, standard output, or standard error.
 It contains the following members:
 .Bl -tag -width Ds
 .It delay
@@ -345,7 +345,7 @@ The
 should be calculated using a monotonic clock where possible.
 .It data
 The binary I/O log data from terminal input, terminal output,
-standard input, standard output or standard error.
+standard input, standard output, or standard error.
 .El
 .Ss ChangeWindowSize winsize_event
 .Bd -literal

docs/sudo_logsrvd.conf.man.in

@@ -2,7 +2,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "October 16, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "January 19, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -31,7 +31,7 @@ log server.
 It uses an INI-style format made up of sections in square brackets and
 \(lqkey = value\(rq
 pairs specific to each section below the section name.
-Depending on the key, values may be integers, booleans or strings.
+Depending on the key, values may be integers, booleans, or strings.
 Section and key names are not case sensitive, but values are.
 .PP
 The pound sign
@@ -571,7 +571,7 @@ are set, I/O log files and directories are created with group-ID 0.
 .TP 10n
 iolog_mode = mode
 The file mode to use when creating I/O log files.
-Mode bits for read and write permissions for owner, group or other
+Mode bits for read and write permissions for owner, group, or other
 are honored, everything else is ignored.
 The file permissions will always include the owner read and
 write bits, even if they are not present in the specified mode.
@@ -612,7 +612,7 @@ The
 section configures how (and if) security policy events are logged.
 .TP 6n
 log_type = string
-Where to log accept, reject and alert events reported by the policy.
+Where to log accept, reject, and alert events reported by the policy.
 Supported values are
 \fIsyslog\fR,
 \fIlogfile\fR,
@@ -718,7 +718,7 @@ creates log messages up to 960 bytes which corresponds to the
 historic
 BSD
 syslog implementation which used a 1024 byte buffer
-to store the message, date, hostname and program name.
+to store the message, date, hostname, and program name.
 .sp
 To prevent syslog messages from being truncated,
 \fBsudo_logsrvd\fR
@@ -956,7 +956,7 @@ Sudo log server configuration file
 #maxseq = 2176782336
 
 [eventlog]
-# Where to log accept, reject, exit and alert events.
+# Where to log accept, reject, exit, and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 #log_type = syslog

docs/sudo_logsrvd.conf.mdoc.in

@@ -1,7 +1,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd October 16, 2021
+.Dd January 19, 2022
 .Dt SUDO_LOGSRVD.CONF @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -30,7 +30,7 @@ log server.
 It uses an INI-style format made up of sections in square brackets and
 .Dq key = value
 pairs specific to each section below the section name.
-Depending on the key, values may be integers, booleans or strings.
+Depending on the key, values may be integers, booleans, or strings.
 Section and key names are not case sensitive, but values are.
 .Pp
 The pound sign
@@ -505,7 +505,7 @@ nor
 are set, I/O log files and directories are created with group-ID 0.
 .It iolog_mode = mode
 The file mode to use when creating I/O log files.
-Mode bits for read and write permissions for owner, group or other
+Mode bits for read and write permissions for owner, group, or other
 are honored, everything else is ignored.
 The file permissions will always include the owner read and
 write bits, even if they are not present in the specified mode.
@@ -545,7 +545,7 @@ The
 section configures how (and if) security policy events are logged.
 .Bl -tag -width 4n
 .It log_type = string
-Where to log accept, reject and alert events reported by the policy.
+Where to log accept, reject, and alert events reported by the policy.
 Supported values are
 .Em syslog ,
 .Em logfile ,
@@ -646,7 +646,7 @@ creates log messages up to 960 bytes which corresponds to the
 historic
 .Bx
 syslog implementation which used a 1024 byte buffer
-to store the message, date, hostname and program name.
+to store the message, date, hostname, and program name.
 .Pp
 To prevent syslog messages from being truncated,
 .Nm sudo_logsrvd
@@ -884,7 +884,7 @@ Sudo log server configuration file
 #maxseq = 2176782336
 
 [eventlog]
-# Where to log accept, reject, exit and alert events.
+# Where to log accept, reject, exit, and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 #log_type = syslog

docs/sudo_plugin.man.in

@@ -2,7 +2,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2009-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2009-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_PLUGIN" "5" "November 8, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO_PLUGIN" "5" "January 19, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -33,11 +33,10 @@ systems that support them) or compiled statically into the
 binary itself.
 By default, the
 \fBsudoers\fR
-policy plugin and an associated I/O logging plugin are used.
+plugin provides audit, security policy and I/O logging capabilities.
 Via the plugin API,
 \fBsudo\fR
-can be configured to use alternate policy and/or I/O logging plugins
+can be configured to use alternate plugins provided by third parties.
-provided by third parties.
 The plugins to be used are specified in the
 sudo.conf(@mansectform@)
 file.
@@ -286,8 +285,7 @@ from the
 \fBcheck_policy\fR()
 function, which will cause
 \fBsudo\fR
-to print a usage message and
+to print a usage message and exit.
-exit.
 .TP 6n
 implied_shell=bool
 If the user does not specify a program on the command line,
@@ -1404,7 +1402,7 @@ SELinux type to use when executing the command.
 set_utmp=bool
 Create a utmp (or utmpx) entry when a pseudo-terminal is allocated.
 By default, the new entry will be a copy of the user's existing utmp
-entry (if any), with the tty, time, type and pid fields updated.
+entry (if any), with the tty, time, type, and pid fields updated.
 .TP 6n
 sudoedit=bool
 Set to true when in
@@ -1546,7 +1544,7 @@ int (*list)(int argc, char * const argv[], int verbose,
 .RS 6n
 .sp
 List available privileges for the invoking user.
-Returns 1 on success, 0 on failure and \-1 on error.
+Returns 1 on success, 0 on failure, and \-1 on error.
 On error, the plugin may optionally call the
 \fBconversation\fR()
 or
@@ -1651,7 +1649,7 @@ function should be
 \fRNULL\fR
 if the plugin does not support credential caching.
 .sp
-Returns 1 on success, 0 on failure and \-1 on error.
+Returns 1 on success, 0 on failure, and \-1 on error.
 On error, the plugin may optionally call the
 \fBconversation\fR()
 or
@@ -1794,7 +1792,7 @@ front-end before using
 \fIuser_env_out\fR.
 Failure to do so may result in a crash.
 .sp
-Returns 1 on success, 0 on failure and \-1 on error.
+Returns 1 on success, 0 on failure, and \-1 on error.
 On error, the plugin may optionally call the
 \fBconversation\fR()
 or
@@ -1835,7 +1833,7 @@ The
 \fBregister_hook\fR()
 function should be used to register any supported
 hooks the plugin needs.
-It returns 0 on success, 1 if the hook type is not supported and \-1
+It returns 0 on success, 1 if the hook type is not supported, and \-1
 if the major version in
 \fRstruct hook\fR
 does not match the front-end's major hook API version.
@@ -2038,7 +2036,7 @@ When an I/O plugin is loaded,
 runs the command in a pseudo-terminal.
 This makes it possible to log the input and output from the user's
 session.
-If any of the standard input, standard output or standard error do not
+If any of the standard input, standard output, or standard error do not
 correspond to a tty,
 \fBsudo\fR
 will open a pipe to capture
@@ -2051,10 +2049,10 @@ The log_ttyout function receives output from the pseudo-terminal that is
 suitable for replaying the user's session at a later time.
 The
 \fBlog_stdin\fR(),
-\fBlog_stdout\fR()
+\fBlog_stdout\fR(),
 and
 \fBlog_stderr\fR()
-functions are only called if the standard input, standard output
+functions are only called if the standard input, standard output,
 or standard error respectively correspond to something other than
 a tty.
 .PP
@@ -2439,7 +2437,7 @@ the user but before it is passed to the running command.
 This allows the plugin to reject data if it chooses to (for instance
 if the input contains banned content).
 Returns 1 if the data should be passed to the command, 0 if the data
-is rejected (which will terminate the running command) or \-1 if an
+is rejected (which will terminate the running command), or \-1 if an
 error occurred.
 .sp
 The function arguments are as follows:
@@ -2499,7 +2497,7 @@ the command but before it is written to the user's terminal.
 This allows the plugin to reject data if it chooses to (for instance
 if the output contains banned content).
 Returns 1 if the data should be passed to the user, 0 if the data is rejected
-(which will terminate the running command) or \-1 if an error occurred.
+(which will terminate the running command), or \-1 if an error occurred.
 .sp
 The function arguments are as follows:
 .TP 6n
@@ -2559,8 +2557,9 @@ It is called whenever data can be read from the standard input but
 before it is passed to the running command.
 This allows the plugin to reject data if it chooses to
 (for instance if the input contains banned content).
-Returns 1 if the data should be passed to the command, 0 if the data is
+Returns 1 if the data should be passed to the command, 0 if the
-rejected (which will terminate the running command) or \-1 if an error occurred.
+data is rejected (which will terminate the running command), or \-1
+if an error occurred.
 .sp
 The function arguments are as follows:
 .TP 6n
@@ -2620,8 +2619,9 @@ It is called whenever data can be read from the command but before
 it is written to the standard output.
 This allows the plugin to reject data if it chooses to
 (for instance if the output contains banned content).
-Returns 1 if the data should be passed to the user, 0 if the data is
+Returns 1 if the data should be passed to the user, 0 if the data
-rejected (which will terminate the running command) or \-1 if an error occurred.
+is rejected (which will terminate the running command), or \-1 if
+an error occurred.
 .sp
 The function arguments are as follows:
 .TP 6n
@@ -2681,8 +2681,9 @@ It is called whenever data can be read from the command but before it
 is written to the standard error.
 This allows the plugin to reject data if it chooses to
 (for instance if the output contains banned content).
-Returns 1 if the data should be passed to the user, 0 if the data is
+Returns 1 if the data should be passed to the user, 0 if the data
-rejected (which will terminate the running command) or \-1 if an error occurred.
+is rejected (which will terminate the running command), or \-1 if
+an error occurred.
 .sp
 The function arguments are as follows:
 .TP 6n
@@ -3009,7 +3010,7 @@ The
 function may also be used to display additional error message to the user.
 The
 \fBconversation\fR()
-function returns 0 on success and \-1 on failure.
+function returns 0 on success, and \-1 on failure.
 .TP 6n
 plugin_printf
 A pointer to a
@@ -3227,7 +3228,7 @@ front-end.
 plugin_type
 The type of plugin that accepted the command, currently either
 \fRSUDO_POLICY_PLUGIN\fR,
-\fRSUDO_POLICY_APPROVAL\fR
+\fRSUDO_POLICY_APPROVAL\fR,
 or
 \fRSUDO_FRONT_END\fR.
 The
@@ -3346,7 +3347,7 @@ The name of the plugin that rejected the command.
 plugin_type
 The type of plugin that rejected the command, currently either
 \fRSUDO_POLICY_PLUGIN\fR,
-\fRSUDO_APPROVAL_PLUGIN\fR
+\fRSUDO_APPROVAL_PLUGIN\fR,
 or
 \fRSUDO_IO_PLUGIN\fR.
 .sp
@@ -4787,12 +4788,12 @@ or
 try to write the message to the user's terminal.
 If the terminal is unavailable, the standard error or standard output
 will be used, depending upon whether
-The user's terminal is always used when possible for input,
-this flag is only used for output.
 \fRSUDO_CONV_ERROR_MSG\fR
 or
 \fRSUDO_CONV_INFO_MSG\fR
 was used.
+The user's terminal is always used when possible for input,
+this flag is only used for output.
 .PP
 The
 \fItimeout\fR
@@ -4891,7 +4892,7 @@ This can be used to query a group source other than the standard Unix
 group database.
 Two sample group plugins are bundled with
 \fBsudo\fR,
-\fIgroup_file\fR
+\fIgroup_file\fR,
 and
 \fIsystem_group\fR,
 are detailed in
@@ -4902,7 +4903,7 @@ A group plugin must declare and populate a
 \fRsudoers_group_plugin\fR
 struct in the global scope.
 This structure contains pointers to the functions that implement plugin
-initialization, cleanup and group lookup.
+initialization, cleanup, and group lookup.
 .nf
 .sp
 .RS 0n

docs/sudo_plugin.mdoc.in

@@ -1,7 +1,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2009-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2009-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd November 8, 2021
+.Dd January 19, 2022
 .Dt SUDO_PLUGIN @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -32,11 +32,10 @@ systems that support them) or compiled statically into the
 binary itself.
 By default, the
 .Nm sudoers
-policy plugin and an associated I/O logging plugin are used.
+plugin provides audit, security policy and I/O logging capabilities.
 Via the plugin API,
 .Nm sudo
-can be configured to use alternate policy and/or I/O logging plugins
+can be configured to use alternate plugins provided by third parties.
-provided by third parties.
 The plugins to be used are specified in the
 .Xr sudo.conf @mansectform@
 file.
@@ -265,8 +264,7 @@ from the
 .Fn check_policy
 function, which will cause
 .Nm sudo
-to print a usage message and
+to print a usage message and exit.
-exit.
 .It implied_shell=bool
 If the user does not specify a program on the command line,
 .Nm sudo
@@ -1256,7 +1254,7 @@ SELinux type to use when executing the command.
 .It set_utmp=bool
 Create a utmp (or utmpx) entry when a pseudo-terminal is allocated.
 By default, the new entry will be a copy of the user's existing utmp
-entry (if any), with the tty, time, type and pid fields updated.
+entry (if any), with the tty, time, type, and pid fields updated.
 .It sudoedit=bool
 Set to true when in
 .Em sudoedit
@@ -1380,7 +1378,7 @@ int (*list)(int argc, char * const argv[], int verbose,
 .Ed
 .Pp
 List available privileges for the invoking user.
-Returns 1 on success, 0 on failure and \-1 on error.
+Returns 1 on success, 0 on failure, and \-1 on error.
 On error, the plugin may optionally call the
 .Fn conversation
 or
@@ -1474,7 +1472,7 @@ function should be
 .Dv NULL
 if the plugin does not support credential caching.
 .Pp
-Returns 1 on success, 0 on failure and \-1 on error.
+Returns 1 on success, 0 on failure, and \-1 on error.
 On error, the plugin may optionally call the
 .Fn conversation
 or
@@ -1605,7 +1603,7 @@ front-end before using
 .Em user_env_out .
 Failure to do so may result in a crash.
 .Pp
-Returns 1 on success, 0 on failure and \-1 on error.
+Returns 1 on success, 0 on failure, and \-1 on error.
 On error, the plugin may optionally call the
 .Fn conversation
 or
@@ -1641,7 +1639,7 @@ The
 .Fn register_hook
 function should be used to register any supported
 hooks the plugin needs.
-It returns 0 on success, 1 if the hook type is not supported and \-1
+It returns 0 on success, 1 if the hook type is not supported, and \-1
 if the major version in
 .Li struct hook
 does not match the front-end's major hook API version.
@@ -1828,7 +1826,7 @@ When an I/O plugin is loaded,
 runs the command in a pseudo-terminal.
 This makes it possible to log the input and output from the user's
 session.
-If any of the standard input, standard output or standard error do not
+If any of the standard input, standard output, or standard error do not
 correspond to a tty,
 .Nm sudo
 will open a pipe to capture
@@ -1841,10 +1839,10 @@ The log_ttyout function receives output from the pseudo-terminal that is
 suitable for replaying the user's session at a later time.
 The
 .Fn log_stdin ,
-.Fn log_stdout
+.Fn log_stdout ,
 and
 .Fn log_stderr
-functions are only called if the standard input, standard output
+functions are only called if the standard input, standard output,
 or standard error respectively correspond to something other than
 a tty.
 .Pp
@@ -2192,7 +2190,7 @@ the user but before it is passed to the running command.
 This allows the plugin to reject data if it chooses to (for instance
 if the input contains banned content).
 Returns 1 if the data should be passed to the command, 0 if the data
-is rejected (which will terminate the running command) or \-1 if an
+is rejected (which will terminate the running command), or \-1 if an
 error occurred.
 .Pp
 The function arguments are as follows:
@@ -2243,7 +2241,7 @@ the command but before it is written to the user's terminal.
 This allows the plugin to reject data if it chooses to (for instance
 if the output contains banned content).
 Returns 1 if the data should be passed to the user, 0 if the data is rejected
-(which will terminate the running command) or \-1 if an error occurred.
+(which will terminate the running command), or \-1 if an error occurred.
 .Pp
 The function arguments are as follows:
 .Bl -tag -width 4n
@@ -2294,8 +2292,9 @@ It is called whenever data can be read from the standard input but
 before it is passed to the running command.
 This allows the plugin to reject data if it chooses to
 (for instance if the input contains banned content).
-Returns 1 if the data should be passed to the command, 0 if the data is
+Returns 1 if the data should be passed to the command, 0 if the
-rejected (which will terminate the running command) or \-1 if an error occurred.
+data is rejected (which will terminate the running command), or \-1
+if an error occurred.
 .Pp
 The function arguments are as follows:
 .Bl -tag -width 4n
@@ -2346,8 +2345,9 @@ It is called whenever data can be read from the command but before
 it is written to the standard output.
 This allows the plugin to reject data if it chooses to
 (for instance if the output contains banned content).
-Returns 1 if the data should be passed to the user, 0 if the data is
+Returns 1 if the data should be passed to the user, 0 if the data
-rejected (which will terminate the running command) or \-1 if an error occurred.
+is rejected (which will terminate the running command), or \-1 if
+an error occurred.
 .Pp
 The function arguments are as follows:
 .Bl -tag -width 4n
@@ -2398,8 +2398,9 @@ It is called whenever data can be read from the command but before it
 is written to the standard error.
 This allows the plugin to reject data if it chooses to
 (for instance if the output contains banned content).
-Returns 1 if the data should be passed to the user, 0 if the data is
+Returns 1 if the data should be passed to the user, 0 if the data
-rejected (which will terminate the running command) or \-1 if an error occurred.
+is rejected (which will terminate the running command), or \-1 if
+an error occurred.
 .Pp
 The function arguments are as follows:
 .Bl -tag -width 4n
@@ -2691,7 +2692,7 @@ The
 function may also be used to display additional error message to the user.
 The
 .Fn conversation
-function returns 0 on success and \-1 on failure.
+function returns 0 on success, and \-1 on failure.
 .It plugin_printf
 A pointer to a
 .Fn printf Ns -style
@@ -2884,7 +2885,7 @@ front-end.
 .It plugin_type
 The type of plugin that accepted the command, currently either
 .Dv SUDO_POLICY_PLUGIN ,
-.Dv SUDO_POLICY_APPROVAL
+.Dv SUDO_POLICY_APPROVAL ,
 or
 .Dv SUDO_FRONT_END .
 The
@@ -2991,7 +2992,7 @@ The name of the plugin that rejected the command.
 .It plugin_type
 The type of plugin that rejected the command, currently either
 .Dv SUDO_POLICY_PLUGIN ,
-.Dv SUDO_APPROVAL_PLUGIN
+.Dv SUDO_APPROVAL_PLUGIN ,
 or
 .Dv SUDO_IO_PLUGIN .
 .Pp
@@ -4237,12 +4238,12 @@ or
 try to write the message to the user's terminal.
 If the terminal is unavailable, the standard error or standard output
 will be used, depending upon whether
-The user's terminal is always used when possible for input,
-this flag is only used for output.
 .Dv SUDO_CONV_ERROR_MSG
 or
 .Dv SUDO_CONV_INFO_MSG
 was used.
+The user's terminal is always used when possible for input,
+this flag is only used for output.
 .El
 .Pp
 The
@@ -4333,7 +4334,7 @@ This can be used to query a group source other than the standard Unix
 group database.
 Two sample group plugins are bundled with
 .Nm sudo ,
-.Em group_file
+.Em group_file ,
 and
 .Em system_group ,
 are detailed in
@@ -4344,7 +4345,7 @@ A group plugin must declare and populate a
 .Li sudoers_group_plugin
 struct in the global scope.
 This structure contains pointers to the functions that implement plugin
-initialization, cleanup and group lookup.
+initialization, cleanup, and group lookup.
 .Bd -literal
 struct sudoers_group_plugin {
     unsigned int version;

docs/sudo_plugin_python.man.in

@@ -3,6 +3,7 @@
 .\" SPDX-License-Identifier: ISC
 .\"
 .\" Copyright (c) 2019-2021 Robert Manner <robert.manner@oneidentity.com>
+.\" Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_PLUGIN_PYTHON" "5" "September 17, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO_PLUGIN_PYTHON" "5" "January 19, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -97,7 +98,7 @@ The actual methods required depent on the type of the plugin,
 but most return an
 \(lqint\(rq
 result code, as documented in
-sudo_plugin(@mansctsu@),
+sudo_plugin(@mansectsu@),
 that indicates whether or not the method was successful.
 The Python sudo module defines the following constants to improve readability:
 .RS 4n
@@ -327,7 +328,7 @@ strings.
 .sp
 To accept a command, at the very minimum the plugin must set in the
 \fIcommand\fR,
-\fIrunas_uid\fR
+\fIrunas_uid\fR,
 and
 \fIrunas_gid\fR
 keys.
@@ -709,7 +710,7 @@ log_stderr(self, buf: str) -> int
 .RS 6n
 .sp
 Receive the user input or output of the terminal device and
-application standard input / output / error.
+application standard input, standard output, or standard error.
 See the matching calls in
 sudo_plugin(@mansectform@).
 .sp
@@ -1022,7 +1023,7 @@ front-end.
 plugin_type
 The type of plugin that accepted the command, currently either
 \fRsudo.PLUGIN_TYPE.POLICY\fR,
-\fRsudo.PLUGIN_TYPE.APPROVAL\fR
+\fRsudo.PLUGIN_TYPE.APPROVAL\fR,
 or
 \fRsudo.PLUGIN_TYPE.SUDO\fR.
 The
@@ -1082,7 +1083,7 @@ The name of the plugin that rejected the command.
 plugin_type
 The type of plugin that rejected the command, currently either
 \fRsudo.PLUGIN_TYPE.POLICY\fR,
-\fRsudo.PLUGIN_TYPE.APPROVAL\fR
+\fRsudo.PLUGIN_TYPE.APPROVAL\fR,
 or
 \fRsudo.PLUGIN_TYPE.IO\fR.
 .sp

docs/sudo_plugin_python.mdoc.in

@@ -2,6 +2,7 @@
 .\" SPDX-License-Identifier: ISC
 .\"
 .\" Copyright (c) 2019-2021 Robert Manner <robert.manner@oneidentity.com>
+.\" Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd September 17, 2021
+.Dd January 19, 2022
 .Dt SUDO_PLUGIN_PYTHON @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -86,7 +87,7 @@ The actual methods required depent on the type of the plugin,
 but most return an
 .Dq int
 result code, as documented in
-.Xr sudo_plugin @mansctsu@ ,
+.Xr sudo_plugin @mansectsu@ ,
 that indicates whether or not the method was successful.
 The Python sudo module defines the following constants to improve readability:
 .Bl -column "sudo.RC.USAGE_ERROR" "XXX" -offset 4n
@@ -280,7 +281,7 @@ strings.
 .Pp
 To accept a command, at the very minimum the plugin must set in the
 .Em command ,
-.Em runas_uid
+.Em runas_uid ,
 and
 .Em runas_gid
 keys.
@@ -581,7 +582,7 @@ log_stderr(self, buf: str) -> int
 .Ed
 .Pp
 Receive the user input or output of the terminal device and
-application standard input / output / error.
+application standard input, standard output, or standard error.
 See the matching calls in
 .Xr sudo_plugin @mansectform@ .
 .Pp
@@ -817,7 +818,7 @@ front-end.
 .It plugin_type
 The type of plugin that accepted the command, currently either
 .Dv sudo.PLUGIN_TYPE.POLICY ,
-.Dv sudo.PLUGIN_TYPE.APPROVAL
+.Dv sudo.PLUGIN_TYPE.APPROVAL ,
 or
 .Dv sudo.PLUGIN_TYPE.SUDO .
 The
@@ -866,7 +867,7 @@ The name of the plugin that rejected the command.
 .It plugin_type
 The type of plugin that rejected the command, currently either
 .Dv sudo.PLUGIN_TYPE.POLICY ,
-.Dv sudo.PLUGIN_TYPE.APPROVAL
+.Dv sudo.PLUGIN_TYPE.APPROVAL ,
 or
 .Dv sudo.PLUGIN_TYPE.IO .
 .Pp

docs/sudoers.ldap.man.in

@@ -194,7 +194,7 @@ only be allowed if the digest matches.
 This may be useful in situations where the user invoking
 \fBsudo\fR
 has write access to the command or its parent directory.
-The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The following digest formats are supported: sha224, sha256, sha384, and sha512.
 The digest name must be followed by a colon
 (\(oq:\&\(cq)
 and then the actual digest, in either hex or base64 format.
@@ -369,7 +369,7 @@ A
 \fRsudoRole\fR
 must contain at least one
 \fRsudoUser\fR,
-\fRsudoHost\fR
+\fRsudoHost\fR,
 and
 \fRsudoCommand\fR.
 .PP
@@ -425,7 +425,7 @@ Match all
 \fRnisNetgroup\fR
 records with a
 \fRnisNetgroupTriple\fR
-containing the user, host and NIS domain.
+containing the user, host, and NIS domain.
 The query will match
 \fRnisNetgroupTriple\fR
 entries with either the short or long form of the host name or
@@ -461,7 +461,7 @@ For the most part, there is little need for
 \fBsudo\fR-specific
 Aliases.
 Unix groups, non-Unix groups (via the
-\fIgroup_plugin\fR)
+\fIgroup_plugin\fR),
 or user netgroups can be used in place of User_Aliases and Runas_Aliases.
 Host netgroups can be used in place of Host_Aliases.
 Since groups and netgroups can also be stored in LDAP there is no real need for
@@ -535,7 +535,7 @@ that contains multiple commands.
 Multiple users and/or groups may be assigned to the
 \fRsudoRole\fR.
 .PP
-Also, host, user, runas and command-based
+Also, host, user, runas, and command-based
 \fRDefaults\fR
 entries are not supported.
 However, a
@@ -941,9 +941,9 @@ If the
 \fBSSL\fR
 parameter is set to
 \fRon\fR,
-\fRtrue\fR
+\fRtrue\fR,
-\fRor\fR
+or
-\fRyes\fR,
+\fRyes\fR
 TLS (SSL) encryption is always used when communicating with the LDAP server.
 Typically, this involves connecting to the server on port 636 (ldaps).
 .TP 6n

docs/sudoers.ldap.mdoc.in

@@ -186,7 +186,7 @@ only be allowed if the digest matches.
 This may be useful in situations where the user invoking
 .Nm sudo
 has write access to the command or its parent directory.
-The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The following digest formats are supported: sha224, sha256, sha384, and sha512.
 The digest name must be followed by a colon
 .Pq Ql :\&
 and then the actual digest, in either hex or base64 format.
@@ -351,7 +351,7 @@ A
 .Li sudoRole
 must contain at least one
 .Li sudoUser ,
-.Li sudoHost
+.Li sudoHost ,
 and
 .Li sudoCommand .
 .Pp
@@ -404,7 +404,7 @@ Match all
 .Li nisNetgroup
 records with a
 .Li nisNetgroupTriple
-containing the user, host and NIS domain.
+containing the user, host, and NIS domain.
 The query will match
 .Li nisNetgroupTriple
 entries with either the short or long form of the host name or
@@ -440,7 +440,7 @@ For the most part, there is little need for
 .Nm sudo Ns -specific
 Aliases.
 Unix groups, non-Unix groups (via the
-.Em group_plugin )
+.Em group_plugin ) ,
 or user netgroups can be used in place of User_Aliases and Runas_Aliases.
 Host netgroups can be used in place of Host_Aliases.
 Since groups and netgroups can also be stored in LDAP there is no real need for
@@ -511,7 +511,7 @@ that contains multiple commands.
 Multiple users and/or groups may be assigned to the
 .Li sudoRole .
 .Pp
-Also, host, user, runas and command-based
+Also, host, user, runas, and command-based
 .Li Defaults
 entries are not supported.
 However, a
@@ -879,9 +879,9 @@ If the
 .Sy SSL
 parameter is set to
 .Li on ,
-.Li true
+.Li true ,
-.Li or
+or
-.Li yes ,
+.Li yes
 TLS (SSL) encryption is always used when communicating with the LDAP server.
 Typically, this involves connecting to the server on port 636 (ldaps).
 .It Sy SSL Ar start_tls

docs/sudoers.man.in

@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "January 8, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "January 18, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -43,7 +43,7 @@ policy plugin.
 The policy is driven by
 the
 \fI@sysconfdir@/sudoers\fR
-file or, optionally in LDAP.
+file or, optionally, in LDAP.
 The policy format is described in detail in the
 \fISUDOERS FILE FORMAT\fR
 section.
@@ -56,14 +56,14 @@ sudoers.ldap(@mansectform@).
 \fBsudo\fR
 consults the
 sudo.conf(@mansectform@)
-file to determine which policy and I/O logging plugins to load.
+file to determine which plugins to load.
 If no
 sudo.conf(@mansectform@)
 file is present, or if it contains no
 \fRPlugin\fR
 lines,
 \fBsudoers\fR
-will be used for policy decisions and I/O logging.
+will be used for auditing, policy decisions and I/O logging.
 To explicitly configure
 sudo.conf(@mansectform@)
 to use the
@@ -300,7 +300,7 @@ for a description of the log file format.
 \fBsudoers\fR
 is also capable of running a command in a pseudo-terminal and logging all
 input and/or output.
-The standard input, standard output and standard error can be logged
+The standard input, standard output, and standard error can be logged
 even when not associated with a terminal.
 I/O logging is not on by default but can be enabled using
 the
@@ -372,7 +372,7 @@ Additional variables, such as
 and
 \fRTERM\fR,
 are preserved from the invoking user's environment if permitted by the
-\fIenv_check\fR
+\fIenv_check\fR,
 or
 \fIenv_keep\fR
 options.
@@ -846,7 +846,7 @@ non-Unix group names and IDs (prefixed with
 \(oq%:\(cq
 and
 \(oq%:#\(cq
-respectively) and
+respectively), and
 \fRUser_Alias\fRes.
 Each list item may be prefixed with zero or more
 \(oq\&!\(cq
@@ -957,7 +957,7 @@ A
 \fRHost_List\fR
 is made up of one or more host names, IP addresses,
 network numbers, netgroups (prefixed with
-\(oq+\(cq)
+\(oq+\(cq),
 and other aliases.
 Again, the value of an item may be negated with the
 \(oq\&!\(cq
@@ -1100,7 +1100,7 @@ Starting with version 1.9.0, the
 \fBALL\fR
 reserved word can be used in conjunction with a
 \fRDigest_List\fR.
-The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The following digest formats are supported: sha224, sha256, sha384, and sha512.
 The string may be specified in either hex or base64 format
 (base64 is more compact).
 There are several utilities capable of generating SHA-2 digests in hex
@@ -1217,7 +1217,7 @@ operator to remove an element
 that does not exist in a list.
 .PP
 Defaults entries are parsed in the following order: generic, host,
-user and runas Defaults first, then command defaults.
+user, and runas Defaults first, then command defaults.
 If there are multiple Defaults settings of the same type, the last
 matching setting is used.
 The following Defaults settings are parsed before all others since
@@ -1586,13 +1586,13 @@ A command may have a timeout associated with it.
 If the timeout expires before the command has exited, the
 command will be terminated.
 The timeout may be specified in combinations of days, hours,
-minutes and seconds with a single-letter case-insensitive suffix
+minutes, and seconds with a single-letter case-insensitive suffix
 that indicates the unit of time.
-For example, a timeout of 7 days, 8 hours, 30 minutes and
+For example, a timeout of 7 days, 8 hours, 30 minutes, and
 10 seconds would be written as
 \fR7d8h30m10s\fR.
 If a number is specified without a unit, seconds are assumed.
-Any of the days, minutes, hours or seconds may be omitted.
+Any of the days, minutes, hours, or seconds may be omitted.
 The order must be from largest to smallest unit and a unit
 may not be specified more than once.
 .PP
@@ -1818,7 +1818,7 @@ section below.
 .sp
 By default,
 \fBsudo\fR
-requires that a user authenticate him or herself
+requires that a user authenticate
 before running a command.
 This behavior can be modified via the
 \fRNOPASSWD\fR
@@ -1933,7 +1933,7 @@ and logged just like they would be if run through
 \fBsudo\fR
 directly.
 This is useful in conjunction with commands that allow shell escapes
-such as editors, shells and paginators.
+such as editors, shells, and paginators.
 .sp
 In the following example, user
 \fBchuck\fR
@@ -1959,7 +1959,7 @@ works and whether or not it will work on your system.
 allows shell-style
 \fIwildcards\fR
 (aka meta or glob characters)
-to be used in host names, path names and command line arguments in the
+to be used in host names, path names, and command line arguments in the
 \fIsudoers\fR
 file.
 Wildcard matching is done via the
@@ -2745,7 +2745,7 @@ This flag is only effective on systems for which
 \fBsudoers\fR
 supports audit logging, including
 FreeBSD,
-Linux, macOS and Solaris.
+Linux, macOS, and Solaris.
 This flag is
 \fIon\fR
 by default.
@@ -3186,7 +3186,7 @@ This setting is only supported by version 1.9.8 or higher.
 .TP 18n
 netgroup_tuple
 If set, netgroup lookups will be performed using the full netgroup
-tuple: host name, user name and domain (if one is set).
+tuple: host name, user name, and domain (if one is set).
 Historically,
 \fBsudo\fR
 only matched the user name and domain for netgroups used in a
@@ -3549,12 +3549,12 @@ A pseudo-terminal is allocated by
 \fBsudo\fR
 when it is running in a terminal and one or more of the
 \fIlog_input\fR,
-\fIlog_output\fR
+\fIlog_output\fR,
 or
 \fIuse_pty\fR
 flags is enabled.
 By default, the new entry will be a copy of the user's existing utmp
-entry (if any), with the tty, time, type and pid fields updated.
+entry (if any), with the tty, time, type, and pid fields updated.
 This flag is
 \fIon\fR
 by default.
@@ -3823,7 +3823,7 @@ closefrom
 Before it executes a command,
 \fBsudo\fR
 will close all open file descriptors other than standard input,
-standard output and standard error (ie: file descriptors 0-2).
+standard output, and standard error (file descriptors 0-2).
 The
 \fIclosefrom\fR
 option can be used to specify a different file descriptor at which
@@ -3896,7 +3896,7 @@ creates log messages up to 980 bytes which corresponds to the
 historic
 BSD
 syslog implementation which used a 1024 byte buffer
-to store the message, date, hostname and program name.
+to store the message, date, hostname, and program name.
 To prevent syslog messages from being truncated,
 \fBsudoers\fR
 will split up log messages that are larger than
@@ -4178,7 +4178,7 @@ This setting is only supported by version 1.8.19 or higher.
 .TP 18n
 iolog_mode
 The file mode to use when creating I/O log files.
-Mode bits for read and write permissions for owner, group or other
+Mode bits for read and write permissions for owner, group, or other
 are honored, everything else is ignored.
 The file permissions will always include the owner read and
 write bits, even if they are not present in the specified mode.
@@ -4935,7 +4935,7 @@ It is only possible to use
 \fIrunchroot\fR
 as a command-specific Defaults setting if the command exists with
 the same path both inside and outside the chroot jail.
-This restriction does not apply to generic, host or user-based
+This restriction does not apply to generic, host, or user-based
 Defaults settings or to a
 \fICmnd_Spec\fR
 that includes a
@@ -6304,7 +6304,7 @@ The user
 may run any command on any machine except for those in the
 \fISERVERS\fR
 \fRHost_Alias\fR
-(primary, mail, www and ns).
+(primary, mail, www, and ns).
 .nf
 .sp
 .RS 0n
@@ -6460,7 +6460,7 @@ allow shell escapes, which lets a user bypass
 \fBsudo\fR's
 access control and logging.
 Common programs that permit shell escapes include shells (obviously),
-editors, paginators, mail and terminal programs.
+editors, paginators, mail, and terminal programs.
 .PP
 There are four basic approaches to this problem:
 .TP 10n
@@ -6850,7 +6850,7 @@ The priorities used by
 \fBsudoers\fR,
 in order of decreasing severity,
 are:
-\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
+\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR,
 and
 \fIdebug\fR.
 Each priority, when specified, also includes all priorities higher
@@ -6898,7 +6898,7 @@ LDAP-based sudoers
 logging support
 .TP 10n
 \fImatch\fR
-matching of users, groups, hosts and netgroups in the
+matching of users, groups, hosts, and netgroups in the
 \fIsudoers\fR
 file
 .TP 10n

docs/sudoers.mdoc.in

@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd January 8, 2022
+.Dd January 18, 2022
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -42,7 +42,7 @@ policy plugin.
 The policy is driven by
 the
 .Pa @sysconfdir@/sudoers
-file or, optionally in LDAP.
+file or, optionally, in LDAP.
 The policy format is described in detail in the
 .Sx SUDOERS FILE FORMAT
 section.
@@ -55,14 +55,14 @@ in LDAP, please see
 .Nm sudo
 consults the
 .Xr sudo.conf @mansectform@
-file to determine which policy and I/O logging plugins to load.
+file to determine which plugins to load.
 If no
 .Xr sudo.conf @mansectform@
 file is present, or if it contains no
 .Li Plugin
 lines,
 .Nm
-will be used for policy decisions and I/O logging.
+will be used for auditing, policy decisions and I/O logging.
 To explicitly configure
 .Xr sudo.conf @mansectform@
 to use the
@@ -289,7 +289,7 @@ for a description of the log file format.
 .Nm
 is also capable of running a command in a pseudo-terminal and logging all
 input and/or output.
-The standard input, standard output and standard error can be logged
+The standard input, standard output, and standard error can be logged
 even when not associated with a terminal.
 I/O logging is not on by default but can be enabled using
 the
@@ -361,7 +361,7 @@ Additional variables, such as
 and
 .Ev TERM ,
 are preserved from the invoking user's environment if permitted by the
-.Em env_check
+.Em env_check ,
 or
 .Em env_keep
 options.
@@ -815,7 +815,7 @@ non-Unix group names and IDs (prefixed with
 .Ql %:
 and
 .Ql %:#
-respectively) and
+respectively), and
 .Li User_Alias Ns es.
 Each list item may be prefixed with zero or more
 .Ql \&!
@@ -919,7 +919,7 @@ A
 .Li Host_List
 is made up of one or more host names, IP addresses,
 network numbers, netgroups (prefixed with
-.Ql + )
+.Ql + ) ,
 and other aliases.
 Again, the value of an item may be negated with the
 .Ql \&!
@@ -1059,7 +1059,7 @@ Starting with version 1.9.0, the
 .Sy ALL
 reserved word can be used in conjunction with a
 .Li Digest_List .
-The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The following digest formats are supported: sha224, sha256, sha384, and sha512.
 The string may be specified in either hex or base64 format
 (base64 is more compact).
 There are several utilities capable of generating SHA-2 digests in hex
@@ -1167,7 +1167,7 @@ operator to remove an element
 that does not exist in a list.
 .Pp
 Defaults entries are parsed in the following order: generic, host,
-user and runas Defaults first, then command defaults.
+user, and runas Defaults first, then command defaults.
 If there are multiple Defaults settings of the same type, the last
 matching setting is used.
 The following Defaults settings are parsed before all others since
@@ -1502,13 +1502,13 @@ A command may have a timeout associated with it.
 If the timeout expires before the command has exited, the
 command will be terminated.
 The timeout may be specified in combinations of days, hours,
-minutes and seconds with a single-letter case-insensitive suffix
+minutes, and seconds with a single-letter case-insensitive suffix
 that indicates the unit of time.
-For example, a timeout of 7 days, 8 hours, 30 minutes and
+For example, a timeout of 7 days, 8 hours, 30 minutes, and
 10 seconds would be written as
 .Li 7d8h30m10s .
 If a number is specified without a unit, seconds are assumed.
-Any of the days, minutes, hours or seconds may be omitted.
+Any of the days, minutes, hours, or seconds may be omitted.
 The order must be from largest to smallest unit and a unit
 may not be specified more than once.
 .Pp
@@ -1724,7 +1724,7 @@ section below.
 .sp
 By default,
 .Nm sudo
-requires that a user authenticate him or herself
+requires that a user authenticate
 before running a command.
 This behavior can be modified via the
 .Li NOPASSWD
@@ -1829,7 +1829,7 @@ and logged just like they would be if run through
 .Nm sudo
 directly.
 This is useful in conjunction with commands that allow shell escapes
-such as editors, shells and paginators.
+such as editors, shells, and paginators.
 .Pp
 In the following example, user
 .Sy chuck
@@ -1851,7 +1851,7 @@ works and whether or not it will work on your system.
 allows shell-style
 .Em wildcards
 (aka meta or glob characters)
-to be used in host names, path names and command line arguments in the
+to be used in host names, path names, and command line arguments in the
 .Em sudoers
 file.
 Wildcard matching is done via the
@@ -2589,7 +2589,7 @@ This flag is only effective on systems for which
 .Nm
 supports audit logging, including
 .Fx ,
-Linux, macOS and Solaris.
+Linux, macOS, and Solaris.
 This flag is
 .Em on
 by default.
@@ -3001,7 +3001,7 @@ by default.
 This setting is only supported by version 1.9.8 or higher.
 .It netgroup_tuple
 If set, netgroup lookups will be performed using the full netgroup
-tuple: host name, user name and domain (if one is set).
+tuple: host name, user name, and domain (if one is set).
 Historically,
 .Nm sudo
 only matched the user name and domain for netgroups used in a
@@ -3343,12 +3343,12 @@ A pseudo-terminal is allocated by
 .Nm sudo
 when it is running in a terminal and one or more of the
 .Em log_input ,
-.Em log_output
+.Em log_output ,
 or
 .Em use_pty
 flags is enabled.
 By default, the new entry will be a copy of the user's existing utmp
-entry (if any), with the tty, time, type and pid fields updated.
+entry (if any), with the tty, time, type, and pid fields updated.
 This flag is
 .Em on
 by default.
@@ -3602,7 +3602,7 @@ by default.
 Before it executes a command,
 .Nm sudo
 will close all open file descriptors other than standard input,
-standard output and standard error (ie: file descriptors 0-2).
+standard output, and standard error (file descriptors 0-2).
 The
 .Em closefrom
 option can be used to specify a different file descriptor at which
@@ -3670,7 +3670,7 @@ creates log messages up to 980 bytes which corresponds to the
 historic
 .Bx
 syslog implementation which used a 1024 byte buffer
-to store the message, date, hostname and program name.
+to store the message, date, hostname, and program name.
 To prevent syslog messages from being truncated,
 .Nm
 will split up log messages that are larger than
@@ -3933,7 +3933,7 @@ are set, I/O log files and directories are created with group-ID 0.
 This setting is only supported by version 1.8.19 or higher.
 .It iolog_mode
 The file mode to use when creating I/O log files.
-Mode bits for read and write permissions for owner, group or other
+Mode bits for read and write permissions for owner, group, or other
 are honored, everything else is ignored.
 The file permissions will always include the owner read and
 write bits, even if they are not present in the specified mode.
@@ -4606,7 +4606,7 @@ It is only possible to use
 .Em runchroot
 as a command-specific Defaults setting if the command exists with
 the same path both inside and outside the chroot jail.
-This restriction does not apply to generic, host or user-based
+This restriction does not apply to generic, host, or user-based
 Defaults settings or to a
 .Em Cmnd_Spec
 that includes a
@@ -5831,7 +5831,7 @@ The user
 may run any command on any machine except for those in the
 .Em SERVERS
 .Li Host_Alias
-(primary, mail, www and ns).
+(primary, mail, www, and ns).
 .Bd -literal
 jill		SERVERS = /usr/bin/, !SU, !SHELLS
 .Ed
@@ -5966,7 +5966,7 @@ allow shell escapes, which lets a user bypass
 .Nm sudo Ns 's
 access control and logging.
 Common programs that permit shell escapes include shells (obviously),
-editors, paginators, mail and terminal programs.
+editors, paginators, mail, and terminal programs.
 .Pp
 There are four basic approaches to this problem:
 .Bl -tag -width 8n
@@ -6339,7 +6339,7 @@ The priorities used by
 .Nm ,
 in order of decreasing severity,
 are:
-.Em crit , err , warn , notice , diag , info , trace
+.Em crit , err , warn , notice , diag , info , trace ,
 and
 .Em debug .
 Each priority, when specified, also includes all priorities higher
@@ -6379,7 +6379,7 @@ LDAP-based sudoers
 .It Em logging
 logging support
 .It Em match
-matching of users, groups, hosts and netgroups in the
+matching of users, groups, hosts, and netgroups in the
 .Em sudoers
 file
 .It Em netif

docs/sudoreplay.man.in

@@ -2,7 +2,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2009-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2009-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDOREPLAY" "@mansectsu@" "August 13, 2021" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDOREPLAY" "@mansectsu@" "January 19, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -89,7 +89,7 @@ list mode.
 In list mode,
 \fBsudoreplay\fR
 can be used to find the ID of a session based on a number of criteria
-such as the user, tty or command run.
+such as the user, tty, or command run.
 .PP
 In replay mode, if the standard input and output are connected to a terminal
 and the
@@ -131,7 +131,7 @@ instead of the default,
 Select which I/O type(s) to display.
 By default,
 \fBsudoreplay\fR
-will display the command's standard output, standard error and tty output.
+will display the command's standard output, standard error, and tty output.
 The
 \fIfilter\fR
 argument is a comma-separated list, consisting of one or more of following:
@@ -241,7 +241,7 @@ Predicates may be abbreviated to the shortest unique string.
 .sp
 Predicates may be combined using
 \fIand\fR,
-\fIor\fR
+\fIor\fR,
 and
 \fI\&!\fR
 operators as well as

docs/sudoreplay.mdoc.in

@@ -1,7 +1,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2009-2021 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2009-2022 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd August 13, 2021
+.Dd January 19, 2022
 .Dt SUDOREPLAY @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -87,7 +87,7 @@ list mode.
 In list mode,
 .Nm
 can be used to find the ID of a session based on a number of criteria
-such as the user, tty or command run.
+such as the user, tty, or command run.
 .Pp
 In replay mode, if the standard input and output are connected to a terminal
 and the
@@ -126,7 +126,7 @@ instead of the default,
 Select which I/O type(s) to display.
 By default,
 .Nm
-will display the command's standard output, standard error and tty output.
+will display the command's standard output, standard error, and tty output.
 The
 .Ar filter
 argument is a comma-separated list, consisting of one or more of following:
@@ -222,7 +222,7 @@ Predicates may be abbreviated to the shortest unique string.
 .Pp
 Predicates may be combined using
 .Em and ,
-.Em or
+.Em or ,
 and
 .Em \&!
 operators as well as

docs/visudo.man.in

@@ -2,7 +2,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 1996,1998-2005, 2007-2021
+.\" Copyright (c) 1996,1998-2005, 2007-2022
 .\"	Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "VISUDO" "@mansectsu@" "November 6, 2021" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "VISUDO" "@mansectsu@" "January 19, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -71,10 +71,7 @@ The
 option should be used with extreme caution because if
 \fBvisudo\fR
 believes there to be a syntax error, so will
-\fBsudo\fR
+\fBsudo\fR.
-and no one will be able to run
-\fBsudo\fR
-again until the error is fixed.
 If
 \(oqe\(cq
 is typed to edit the
@@ -96,7 +93,7 @@ separated list of editors allowed to be used with
 \fBvisudo\fR
 will choose the editor that matches the user's
 \fRSUDO_EDITOR\fR,
-\fRVISUAL\fR
+\fRVISUAL\fR,
 or
 \fREDITOR\fR
 environment variable if possible, or the first editor in the
@@ -105,7 +102,7 @@ Note that
 \fBsudo\fR
 does not preserve the
 \fRSUDO_EDITOR\fR,
-\fRVISUAL\fR
+\fRVISUAL\fR,
 or
 \fREDITOR\fR
 environment variables unless they are present in the
@@ -126,7 +123,7 @@ If set,
 \fBvisudo\fR
 will use the value of the
 \fRSUDO_EDITOR\fR,
-\fRVISUAL\fR
+\fRVISUAL\fR,
 or
 \fREDITOR\fR
 environment variables before falling back on the default editor list.
@@ -143,7 +140,7 @@ variable.
 \fBvisudo\fR
 will then only use
 \fRSUDO_EDITOR\fR,
-\fRVISUAL\fR
+\fRVISUAL\fR,
 or
 \fREDITOR\fR
 if they match a value specified in
@@ -152,7 +149,7 @@ If the
 \fIenv_reset\fR
 flag is enabled, the
 \fRSUDO_EDITOR\fR,
-\fRVISUAL\fR
+\fRVISUAL\fR,
 and/or
 \fREDITOR\fR
 environment variables must be present in the
@@ -307,7 +304,7 @@ will also parse the arguments to the
 \fIsudoers\fR
 plugin to override the default
 \fIsudoers\fR
-path name, UID, GID and file mode.
+path name, UID, GID, and file mode.
 These arguments, if present, should be listed after the path to the plugin
 (i.e., after
 \fIsudoers.so\fR).

docs/visudo.mdoc.in

@@ -1,7 +1,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 1996,1998-2005, 2007-2021
+.\" Copyright (c) 1996,1998-2005, 2007-2022
 .\"	Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -20,7 +20,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd November 6, 2021
+.Dd January 19, 2022
 .Dt VISUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -69,10 +69,7 @@ The
 option should be used with extreme caution because if
 .Nm
 believes there to be a syntax error, so will
-.Nm sudo
+.Nm sudo .
-and no one will be able to run
-.Nm sudo
-again until the error is fixed.
 If
 .Ql e
 is typed to edit the
@@ -94,7 +91,7 @@ separated list of editors allowed to be used with
 .Nm
 will choose the editor that matches the user's
 .Ev SUDO_EDITOR ,
-.Ev VISUAL
+.Ev VISUAL ,
 or
 .Ev EDITOR
 environment variable if possible, or the first editor in the
@@ -103,7 +100,7 @@ Note that
 .Nm sudo
 does not preserve the
 .Ev SUDO_EDITOR ,
-.Ev VISUAL
+.Ev VISUAL ,
 or
 .Ev EDITOR
 environment variables unless they are present in the
@@ -123,7 +120,7 @@ If set,
 .Nm
 will use the value of the
 .Ev SUDO_EDITOR ,
-.Ev VISUAL
+.Ev VISUAL ,
 or
 .Ev EDITOR
 environment variables before falling back on the default editor list.
@@ -140,7 +137,7 @@ variable.
 .Nm
 will then only use
 .Ev SUDO_EDITOR ,
-.Ev VISUAL
+.Ev VISUAL ,
 or
 .Ev EDITOR
 if they match a value specified in
@@ -149,7 +146,7 @@ If the
 .Em env_reset
 flag is enabled, the
 .Ev SUDO_EDITOR ,
-.Ev VISUAL
+.Ev VISUAL ,
 and/or
 .Ev EDITOR
 environment variables must be present in the
@@ -299,7 +296,7 @@ will also parse the arguments to the
 .Em sudoers
 plugin to override the default
 .Em sudoers
-path name, UID, GID and file mode.
+path name, UID, GID, and file mode.
 These arguments, if present, should be listed after the path to the plugin
 (i.e., after
 .Pa sudoers.so ) .

examples/sudo.conf.in

@@ -129,10 +129,10 @@
 #   Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
 #
 # Sudo and related programs support logging debug information to a file.
-# The program is typically sudo, sudoers.so, sudoreplay or visudo.
+# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
 #
 # Subsystems vary based on the program; "all" matches all subsystems.
-# Priority may be crit, err, warn, notice, diag, info, trace or debug.
+# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
 # Multiple subsystem@priority may be specified, separated by a comma.
 #
 #Debug sudo /var/log/sudo_debug all@debug

examples/sudo_logsrvd.conf

@@ -187,7 +187,7 @@
 #maxseq = 2176782336
 
 [eventlog]
-# Where to log accept, reject, exit and alert events.
+# Where to log accept, reject, exit, and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 #log_type = syslog