Remove duplicated sudo.conf info in the sudo, sudoers and sudo_plugin

manuals and cross-reference the new sudo.conf manual.
2013-02-05 16:12:39 -05:00
parent 5debfeeaf7
commit 14bf23c4a2
12 changed files with 670 additions and 1489 deletions
--- a/doc/sudo.cat
+++ b/doc/sudo.cat
@@ -24,7 +24,7 @@ DDEESSCCRRIIPPTTIIOONN
     input/output logging.  Third parties can develop and distribute their own
     policy and I/O logging plugins to work seamlessly with the ssuuddoo front
     end.  The default security policy is _s_u_d_o_e_r_s, which is configured via the
-     file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP.  See the _P_L_U_G_I_N_S section for more
+     file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP.  See the _P_l_u_g_i_n_s section for more
     information.
     The security policy determines what privileges, if any, a user has to run
@@ -54,7 +54,7 @@ DDEESSCCRRIIPPTTIIOONN
                 to read the user's password and output the password to the
                 standard output.  If the SUDO_ASKPASS environment variable is
                 set, it specifies the path to the helper program.  Otherwise,
-                 if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a line specifying the askpass
+                 if sudo.conf(4) contains a line specifying the askpass
                 program, that value will be used.  For example:
                     # Path to askpass helper program
@@ -299,7 +299,7 @@ DDEESSCCRRIIPPTTIIOONN
 CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
     When ssuuddoo executes a command, the security policy specifies the execution
-     envionment for the command.  Typically, the real and effective uid and
+     environment for the command.  Typically, the real and effective uid and
     gid are set to match those of the target user, as specified in the
     password database, and the group vector is initialized based on the group
     database (unless the --PP option was specified).
@@ -354,7 +354,7 @@ CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
     As a special case, ssuuddoo will not relay signals that were sent by the
     command it is running.  This prevents the command from accidentally
     killing itself.  On some systems, the reboot(1m) command sends SIGTERM to
-     all non-system processes other than itself before rebooting the systyem.
+     all non-system processes other than itself before rebooting the system.
     This prevents ssuuddoo from relaying the SIGTERM signal it received back to
     reboot(1m), which might then exit before the system was actually rebooted,
     leaving it in a half-dead state similar to single user mode.  Note,
@@ -365,126 +365,13 @@ CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
     run using the eexxeecc() family of functions instead of ssyysstteemm() (which
     interposes a shell between the command and the calling process).
-PPLLUUGGIINNSS
+   PPlluuggiinnss
-     Plugins are dynamically loaded based on the contents of the
+     Plugins are dynamically loaded based on the contents of the sudo.conf(4)
-     _/_e_t_c_/_s_u_d_o_._c_o_n_f file.  If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it
+     file.  If no sudo.conf(4) file is present, or it contains no Plugin
-     contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security
+     lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security policy and I/O
-     policy and I/O logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f
+     logging.  See the sudo.conf(4) manual for details of the _/_e_t_c_/_s_u_d_o_._c_o_n_f
-     file.
+     file and the sudo_plugin(1m) manual for more information about the ssuuddoo
-
+     plugin architecture.
     #
     # Default /etc/sudo.conf file
     #
     # Format:
     #   Plugin plugin_name plugin_path plugin_options ...
     #   Path askpass /path/to/askpass
     #   Path noexec /path/to/sudo_noexec.so
     #   Debug sudo /var/log/sudo_debug all@warn
     #   Set disable_coredump true
     #
     # The plugin_path is relative to /usr/local/libexec unless
     #   fully qualified.
     # The plugin_name corresponds to a global symbol in the plugin
     #   that contains the plugin interface structure.
     # The plugin_options are optional.
     #
     Plugin policy_plugin sudoers.so
     Plugin io_plugin sudoers.so
     A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e
     and the _p_a_t_h to the shared object containing the plugin.  The _s_y_m_b_o_l___n_a_m_e
     is the name of the struct policy_plugin or struct io_plugin in the plugin
     shared object.  The _p_a_t_h may be fully qualified or relative.  If not
     fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory.  Any
     additional parameters after the _p_a_t_h are passed as arguments to the
     plugin's _o_p_e_n function.  Lines that don't begin with Plugin, Path, Debug,
     or Set are silently ignored.
     The _/_e_t_c_/_s_u_d_o_._c_o_n_f file is always parsed in the ``C'' locale.
     For more information, see the sudo_plugin(1m) manual.
 PPAATTHHSS
     A Path line consists of the Path keyword, followed by the name of the
     path to set and its value.  E.g.
           Path noexec /usr/local/libexec/sudo_noexec.so
           Path askpass /usr/X11R6/bin/ssh-askpass
     The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
     file:
     askpass   The fully qualified path to a helper program used to read the
               user's password when no terminal is available.  This may be the
               case when ssuuddoo is executed from a graphical (as opposed to
               text-based) application.  The program specified by _a_s_k_p_a_s_s
               should display the argument passed to it as the prompt and
               write the user's password to the standard output.  The value of
               _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment
               variable.
     noexec    The fully-qualified path to a shared library containing dummy
               versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library
               functions that just return an error.  This is used to implement
               the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or
               its equivalent.  Defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
 DDEEBBUUGG FFLLAAGGSS
     ssuuddoo versions 1.8.4 and higher support a flexible debugging framework
     that can help track down what ssuuddoo is doing internally if there is a
     problem.
     A Debug line consists of the Debug keyword, followed by the name of the
     program to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy), the debug file name and a
     comma-separated list of debug flags.  The debug flag syntax used by ssuuddoo
     and the _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to
     use a different format so long as it does not include a comma (`,').
     For instance:
           Debug sudo /var/log/sudo_debug all@warn,plugin@info
     would log all debugging statements at the _w_a_r_n level and higher in
     addition to those at the _i_n_f_o level for the plugin subsystem.
     Currently, only one Debug entry per program is supported.  The ssuuddoo Debug
     entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins.  A
     future release may add support for per-plugin Debug lines and/or support
     for multiple debugging files for a single program.
     The priorities used by the ssuuddoo front end, in order of decreasing
     severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.
     Each priority, when specified, also includes all priorities higher than
     it.  For example, a priority of _n_o_t_i_c_e would include debug messages
     logged at _n_o_t_i_c_e and higher.
     The following subsystems are used by the ssuuddoo front-end:
     _a_l_l         matches every subsystem
     _a_r_g_s        command line argument processing
     _c_o_n_v        user conversation
     _e_d_i_t        sudoedit
     _e_x_e_c        command execution
     _m_a_i_n        ssuuddoo main function
     _n_e_t_i_f       network interface handling
     _p_c_o_m_m       communication with the plugin
     _p_l_u_g_i_n      plugin configuration
     _p_t_y         pseudo-tty related code
     _s_e_l_i_n_u_x     SELinux-specific handling
     _u_t_i_l        utility functions
     _u_t_m_p        utmp handling
 EEXXIITT VVAALLUUEE
     Upon successful execution of a program, the exit status from _s_u_d_o will
@@ -526,15 +413,11 @@ SSEECCUURRIITTYY NNOOTTEESS
     disables core dumps by default while it is executing (they are re-enabled
     for the command that is run).  To aid in debugging ssuuddoo crashes, you may
     wish to re-enable core dumps by setting ``disable_coredump'' to false in
-     the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as follows:
+     the sudo.conf(4) file as follows:
           Set disable_coredump false
-     Note that by default, most operating systems disable core dumps from
+     See the sudo.conf(4) manual for more information.
     setuid programs, which includes ssuuddoo.  To actually get a ssuuddoo core file
     you may need to enable core dumps for setuid processes.  On BSD and Linux
     systems this is accomplished via the sysctl command, on Solaris the
     coreadm command can be used.
 EENNVVIIRROONNMMEENNTT
     ssuuddoo utilizes the following environment variables.  The security policy
@@ -619,8 +502,8 @@ EEXXAAMMPPLLEESS
           $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
 SSEEEE AALLSSOO
-     su(1), stat(2), login_cap(3), passwd(4), sudoers(4), sudo_plugin(1m),
+     su(1), stat(2), login_cap(3), passwd(4), sudo.conf(4), sudoers(4),
-     sudoreplay(1m), visudo(1m)
+     sudo_plugin(1m), sudoreplay(1m), visudo(1m)
 HHIISSTTOORRYY
     See the HISTORY file in the ssuuddoo distribution
@@ -670,4 +553,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
     complete details.
-Sudo 1.8.7                     November 12, 2012                    Sudo 1.8.7
+Sudo 1.8.7                     February 5, 2013                     Sudo 1.8.7
--- a/doc/sudo.conf.cat
+++ b/doc/sudo.conf.cat
@@ -47,12 +47,18 @@ DDEESSCCRRIIPPTTIIOONN
           Plugin sudoers_policy /usr/local/libexec/sudoers.so
-     Any additional parameters after the _p_a_t_h are passed as arguments to the
+     Starting with ssuuddoo 1.8.5, any additional parameters after the _p_a_t_h are
-     plugin's _o_p_e_n function.  For example, to override the compile-time
+     passed as arguments to the plugin's _o_p_e_n function.  For example, to
-     default sudoers file mode:
+     override the compile-time default sudoers file mode:
           Plugin sudoers_policy sudoers.so sudoers_mode=0440
     The same shared object may contain multiple plugins, each with a
     different symbol name.  The shared object file must be owned by uid 0 and
     only writable by its owner.  Because of ambiguities that arise from
     composite policies, only a single policy plugin may be specified.  This
     limitation does not apply to I/O plugins.
     If no ssuuddoo..ccoonnff file is present, or if it contains no Plugin lines, the
     ssuuddooeerrss plugin will be used as the default security policy and for I/O
     logging (if enabled by the policy).  This is equivalent to the following:
@@ -102,7 +108,7 @@ DDEESSCCRRIIPPTTIIOONN
               Note that most operating systems disable core dumps from setuid
               programs, including ssuuddoo.  To actually get a ssuuddoo core file you
               will likely need to enable core dumps for setuid processes.  On
-               BSD and Linux systems this is accomplished via the sysctl
+               BSD and Linux systems this is accomplished in the sysctl
               command.  On Solaris, the coreadm command is used to configure
               core dump behavior.
@@ -298,7 +304,7 @@ EEXXAAMMPPLLEESS
     #Set group_source static
 SSEEEE AALLSSOO
-     sudoers(4), sudo(1m), sudo_plugin(1m),
+     sudoers(4), sudo(1m), sudo_plugin(1m)
 HHIISSTTOORRYY
     See the HISTORY file in the ssuuddoo distribution
@@ -330,4 +336,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
     complete details.
-Sudo 1.8.7                     February 1, 2013                     Sudo 1.8.7
+Sudo 1.8.7                     February 5, 2013                     Sudo 1.8.7
--- a/doc/sudo.conf.man.in
+++ b/doc/sudo.conf.man.in
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDO" "5" "February 1, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
+.TH "SUDO" "5" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -124,7 +124,9 @@ Plugin sudoers_policy @PLUGINDIR@/sudoers.so
 .RE
 .fi
 .PP
-Any additional parameters after the
+Starting with
 \fBsudo\fR
 1.8.5, any additional parameters after the
 \fIpath\fR
 are passed as arguments to the plugin's
 \fIopen\fR
@@ -137,6 +139,13 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0440
 .RE
 .fi
 .PP
 The same shared object may contain multiple plugins, each with a
 different symbol name.
 The shared object file must be owned by uid 0 and only writable by its owner.
 Because of ambiguities that arise from composite policies, only a single
 policy plugin may be specified.
 This limitation does not apply to I/O plugins.
 .PP
 If no
 \fBsudo.conf\fR
 file is present, or if it contains no
@@ -239,7 +248,7 @@ including
 To actually get a
 \fBsudo\fR
 core file you will likely need to enable core dumps for setuid processes.
-On BSD and Linux systems this is accomplished via the
+On BSD and Linux systems this is accomplished in the
 sysctl
 command.
 On Solaris, the
@@ -533,7 +542,7 @@ Plugin io_plugin sudoers.so
 .SH "SEE ALSO"
 sudoers(@mansectform@),
 sudo(@mansectsu@),
-sudo_plugin(@mansectsu@),
+sudo_plugin(@mansectsu@)
 .SH "HISTORY"
 See the HISTORY file in the
 \fBsudo\fR
--- a/doc/sudo.conf.mdoc.in
+++ b/doc/sudo.conf.mdoc.in
@@ -114,7 +114,9 @@ is equivalent to:
 Plugin sudoers_policy @PLUGINDIR@/sudoers.so
 .Ed
 .Pp
-Any additional parameters after the
+Starting with
 .Nm sudo
 1.8.5, any additional parameters after the
 .Em path
 are passed as arguments to the plugin's
 .Em open
@@ -124,6 +126,13 @@ For example, to override the compile-time default sudoers file mode:
 Plugin sudoers_policy sudoers.so sudoers_mode=0440
 .Ed
 .Pp
 The same shared object may contain multiple plugins, each with a
 different symbol name.
 The shared object file must be owned by uid 0 and only writable by its owner.
 Because of ambiguities that arise from composite policies, only a single
 policy plugin may be specified.
 This limitation does not apply to I/O plugins.
 .Pp
 If no
 .Nm sudo.conf
 file is present, or if it contains no
@@ -216,7 +225,7 @@ including
 To actually get a
 .Nm sudo
 core file you will likely need to enable core dumps for setuid processes.
-On BSD and Linux systems this is accomplished via the
+On BSD and Linux systems this is accomplished in the
 .Xr sysctl
 command.
 On Solaris, the
--- a/doc/sudo.man.in
+++ b/doc/sudo.man.in
@@ -1,7 +1,7 @@
 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
 .\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in
 .\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
 .\"	Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDO" "@mansectsu@" "November 12, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO" "@mansectsu@" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -99,7 +99,7 @@ which is configured via the file
 \fI@sysconfdir@/sudoers\fR,
 or via LDAP.
 See the
-\fIPLUGINS\fR
+\fIPlugins\fR
 section for more information.
 .PP
 The security policy determines what privileges, if any, a user has
@@ -162,7 +162,7 @@ If the
 environment variable is set, it specifies the path to the helper
 program.
 Otherwise, if
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
 contains a line specifying the askpass program, that value will be
 used.
 For example:
@@ -694,7 +694,7 @@ for more information.
 When
 \fBsudo\fR
 executes a command, the security policy specifies the execution
-envionment for the command.
+environment for the command.
 Typically, the real and effective uid and gid are set to
 match those of the target user, as specified in the password database,
 and the group vector is initialized based on the group database
@@ -796,7 +796,7 @@ reboot(@mansectsu@)
 command sends
 \fRSIGTERM\fR
 to all non-system processes other than itself before rebooting
-the systyem.
+the system.
 This prevents
 \fBsudo\fR
 from relaying the
@@ -823,250 +823,28 @@ are run using the
 family of functions instead of
 \fBsystem\fR()
 (which interposes a shell between the command and the calling process).
-.SH "PLUGINS"
+.SS "Plugins"
 Plugins are dynamically loaded based on the contents of the
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
 file.
 If no
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
 file is present, or it contains no
 \fRPlugin\fR
 lines,
 \fBsudo\fR
 will use the traditional
 \fIsudoers\fR
-security policy and I/O logging, which corresponds to the following
+security policy and I/O logging.
 See the
 sudo.conf(@mansectform@)
 manual for details of the
 \fI@sysconfdir@/sudo.conf\fR
-file.
+file and the
 .nf
 .sp
 .RS 0n
 #
 # Default @sysconfdir@/sudo.conf file
 #
 # Format:
 #   Plugin plugin_name plugin_path plugin_options ...
 #   Path askpass /path/to/askpass
 #   Path noexec /path/to/sudo_noexec.so
 #   Debug sudo /var/log/sudo_debug all@warn
 #   Set disable_coredump true
 #
 # The plugin_path is relative to @PLUGINDIR@ unless
 #   fully qualified.
 # The plugin_name corresponds to a global symbol in the plugin
 #   that contains the plugin interface structure.
 # The plugin_options are optional.
 #
 Plugin policy_plugin sudoers.so
 Plugin io_plugin sudoers.so
 .RE
 .fi
 .PP
 A
 \fRPlugin\fR
 line consists of the
 \fRPlugin\fR
 keyword, followed by the
 \fIsymbol_name\fR
 and the
 \fIpath\fR
 to the shared object containing the plugin.
 The
 \fIsymbol_name\fR
 is the name of the
 \fRstruct policy_plugin\fR
 or
 \fRstruct io_plugin\fR
 in the plugin shared object.
 The
 \fIpath\fR
 may be fully qualified or relative.
 If not fully qualified it is relative to the
 \fI@PLUGINDIR@\fR
 directory.
 Any additional parameters after the
 \fIpath\fR
 are passed as arguments to the plugin's
 \fIopen\fR
 function.
 Lines that don't begin with
 \fRPlugin\fR,
 \fRPath\fR,
 \fRDebug\fR,
 or
 \fRSet\fR
 are silently ignored.
 .PP
 The
 \fI@sysconfdir@/sudo.conf\fR
 file is always parsed in the
 ``\fRC\fR''
 locale.
 .PP
 For more information, see the
 sudo_plugin(@mansectsu@)
-manual.
+manual for more information about the
 .SH "PATHS"
 A
 \fRPath\fR
 line consists of the
 \fRPath\fR
 keyword, followed by the name of the path to set and its value.
 E.g.
 .nf
 .sp
 .RS 6n
 Path noexec @noexec_file@
 Path askpass /usr/X11R6/bin/ssh-askpass
 .RE
 .fi
 .PP
 The following plugin-agnostic paths may be set in the
 \fI@sysconfdir@/sudo.conf\fR
 file:
 .TP 10n
 askpass
 The fully qualified path to a helper program used to read the user's
 password when no terminal is available.
 This may be the case when
 \fBsudo\fR
-is executed from a graphical (as opposed to text-based) application.
+plugin architecture.
 The program specified by
 \fIaskpass\fR
 should display the argument passed to it as the prompt and write
 the user's password to the standard output.
 The value of
 \fIaskpass\fR
 may be overridden by the
 \fRSUDO_ASKPASS\fR
 environment variable.
 .TP 10n
 noexec
 The fully-qualified path to a shared library containing dummy
 versions of the
 \fBexecv\fR(),
 \fBexecve\fR()
 and
 \fBfexecve\fR()
 library functions that just return an error.
 This is used to implement the
 \fInoexec\fR
 functionality on systems that support
 \fRLD_PRELOAD\fR
 or its equivalent.
 Defaults to
 \fI@noexec_file@\fR.
 .SH "DEBUG FLAGS"
 \fBsudo\fR
 versions 1.8.4 and higher support a flexible debugging framework
 that can help track down what
 \fBsudo\fR
 is doing internally if there is a problem.
 .PP
 A
 \fRDebug\fR
 line consists of the
 \fRDebug\fR
 keyword, followed by the name of the program to debug
 (\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR),
 the debug file name and a comma-separated list of debug flags.
 The debug flag syntax used by
 \fBsudo\fR
 and the
 \fIsudoers\fR
 plugin is
 \fIsubsystem\fR@\fIpriority\fR
 but the plugin is free to use a different format so long as it does
 not include a comma
 (`\&,').
 .PP
 For instance:
 .nf
 .sp
 .RS 6n
 Debug sudo /var/log/sudo_debug all@warn,plugin@info
 .RE
 .fi
 .PP
 would log all debugging statements at the
 \fIwarn\fR
 level and higher in addition to those at the
 \fIinfo\fR
 level for the plugin subsystem.
 .PP
 Currently, only one
 \fRDebug\fR
 entry per program is supported.
 The
 \fBsudo\fR
 \fRDebug\fR
 entry is shared by the
 \fBsudo\fR
 front end,
 \fBsudoedit\fR
 and the plugins.
 A future release may add support for per-plugin
 \fRDebug\fR
 lines and/or support for multiple debugging files for a single
 program.
 .PP
 The priorities used by the
 \fBsudo\fR
 front end, in order of decreasing severity, are:
 \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
 and
 \fIdebug\fR.
 Each priority, when specified, also includes all priorities higher
 than it.
 For example, a priority of
 \fInotice\fR
 would include debug messages logged at
 \fInotice\fR
 and higher.
 .PP
 The following subsystems are used by the
 \fBsudo\fR
 front-end:
 .TP 12n
 \fIall\fR
 matches every subsystem
 .TP 12n
 \fIargs\fR
 command line argument processing
 .TP 12n
 \fIconv\fR
 user conversation
 .TP 12n
 \fIedit\fR
 sudoedit
 .TP 12n
 \fIexec\fR
 command execution
 .TP 12n
 \fImain\fR
 \fBsudo\fR
 main function
 .TP 12n
 \fInetif\fR
 network interface handling
 .TP 12n
 \fIpcomm\fR
 communication with the plugin
 .TP 12n
 \fIplugin\fR
 plugin configuration
 .TP 12n
 \fIpty\fR
 pseudo-tty related code
 .TP 12n
 \fIselinux\fR
 SELinux-specific handling
 .TP 12n
 \fIutil\fR
 utility functions
 .TP 12n
 \fIutmp\fR
 utmp handling
 .SH "EXIT VALUE"
 Upon successful execution of a program, the exit status from
 \fIsudo\fR
@@ -1148,7 +926,7 @@ To aid in debugging
 crashes, you may wish to re-enable core dumps by setting
 ``disable_coredump''
 to false in the
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
 file as follows:
 .nf
 .sp
@@ -1157,14 +935,9 @@ Set disable_coredump false
 .RE
 .fi
 .PP
-Note that by default, most operating systems disable core dumps
+See the
-from setuid programs, which includes
+sudo.conf(@mansectform@)
-\fBsudo\fR.
+manual for more information.
 To actually get a
 \fBsudo\fR
 core file you may need to enable core dumps for setuid processes.
 On BSD and Linux systems this is accomplished via the sysctl command,
 on Solaris the coreadm command can be used.
 .SH "ENVIRONMENT"
 \fBsudo\fR
 utilizes the following environment variables.
@@ -1333,6 +1106,7 @@ su(1),
 stat(2),
 login_cap(3),
 passwd(@mansectform@),
 sudo.conf(@mansectform@),
 sudoers(@mansectform@),
 sudo_plugin(@mansectsu@),
 sudoreplay(@mansectsu@),
--- a/doc/sudo.mdoc.in
+++ b/doc/sudo.mdoc.in
@@ -1,5 +1,5 @@
 .\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
 .\"	Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd November 12, 2012
+.Dd February 5, 2013
 .Dt SUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -139,7 +139,7 @@ which is configured via the file
 .Pa @sysconfdir@/sudoers ,
 or via LDAP.
 See the
-.Sx PLUGINS
+.Sx Plugins
 section for more information.
 .Pp
 The security policy determines what privileges, if any, a user has
@@ -202,7 +202,7 @@ If the
 environment variable is set, it specifies the path to the helper
 program.
 Otherwise, if
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
 contains a line specifying the askpass program, that value will be
 used.
 For example:
@@ -687,7 +687,7 @@ for more information.
 When
 .Nm sudo
 executes a command, the security policy specifies the execution
-envionment for the command.
+environment for the command.
 Typically, the real and effective uid and gid are set to
 match those of the target user, as specified in the password database,
 and the group vector is initialized based on the group database
@@ -780,7 +780,7 @@ On some systems, the
 command sends
 .Dv SIGTERM
 to all non-system processes other than itself before rebooting
-the systyem.
+the system.
 This prevents
 .Nm sudo
 from relaying the
@@ -807,230 +807,28 @@ are run using the
 family of functions instead of
 .Fn system
 (which interposes a shell between the command and the calling process).
-.Sh PLUGINS
+.Ss Plugins
 Plugins are dynamically loaded based on the contents of the
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
 file.
 If no
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
 file is present, or it contains no
 .Li Plugin
 lines,
 .Nm sudo
 will use the traditional
 .Em sudoers
-security policy and I/O logging, which corresponds to the following
+security policy and I/O logging.
 See the
 .Xr sudo.conf @mansectform@
 manual for details of the
 .Pa @sysconfdir@/sudo.conf
-file.
+file and the
 .Bd -literal
 #
 # Default @sysconfdir@/sudo.conf file
 #
 # Format:
 #   Plugin plugin_name plugin_path plugin_options ...
 #   Path askpass /path/to/askpass
 #   Path noexec /path/to/sudo_noexec.so
 #   Debug sudo /var/log/sudo_debug all@warn
 #   Set disable_coredump true
 #
 # The plugin_path is relative to @PLUGINDIR@ unless
 #   fully qualified.
 # The plugin_name corresponds to a global symbol in the plugin
 #   that contains the plugin interface structure.
 # The plugin_options are optional.
 #
 Plugin policy_plugin sudoers.so
 Plugin io_plugin sudoers.so
 .Ed
 .Pp
 A
 .Li Plugin
 line consists of the
 .Li Plugin
 keyword, followed by the
 .Em symbol_name
 and the
 .Em path
 to the shared object containing the plugin.
 The
 .Em symbol_name
 is the name of the
 .Li struct policy_plugin
 or
 .Li struct io_plugin
 in the plugin shared object.
 The
 .Em path
 may be fully qualified or relative.
 If not fully qualified it is relative to the
 .Pa @PLUGINDIR@
 directory.
 Any additional parameters after the
 .Em path
 are passed as arguments to the plugin's
 .Em open
 function.
 Lines that don't begin with
 .Li Plugin ,
 .Li Path ,
 .Li Debug ,
 or
 .Li Set
 are silently ignored.
 .Pp
 The
 .Pa @sysconfdir@/sudo.conf
 file is always parsed in the
 .Dq Li C
 locale.
 .Pp
 For more information, see the
 .Xr sudo_plugin @mansectsu@
-manual.
+manual for more information about the
 .Sh PATHS
 A
 .Li Path
 line consists of the
 .Li Path
 keyword, followed by the name of the path to set and its value.
 E.g.
 .Bd -literal -offset indent
 Path noexec @noexec_file@
 Path askpass /usr/X11R6/bin/ssh-askpass
 .Ed
 .Pp
 The following plugin-agnostic paths may be set in the
 .Pa @sysconfdir@/sudo.conf
 file:
 .Bl -tag -width 8n
 .It askpass
 The fully qualified path to a helper program used to read the user's
 password when no terminal is available.
 This may be the case when
 .Nm sudo
-is executed from a graphical (as opposed to text-based) application.
+plugin architecture.
 The program specified by
 .Em askpass
 should display the argument passed to it as the prompt and write
 the user's password to the standard output.
 The value of
 .Em askpass
 may be overridden by the
 .Ev SUDO_ASKPASS
 environment variable.
 .It noexec
 The fully-qualified path to a shared library containing dummy
 versions of the
 .Fn execv ,
 .Fn execve
 and
 .Fn fexecve
 library functions that just return an error.
 This is used to implement the
 .Em noexec
 functionality on systems that support
 .Ev LD_PRELOAD
 or its equivalent.
 Defaults to
 .Pa @noexec_file@ .
 .El
 .Sh DEBUG FLAGS
 .Nm sudo
 versions 1.8.4 and higher support a flexible debugging framework
 that can help track down what
 .Nm sudo
 is doing internally if there is a problem.
 .Pp
 A
 .Li Debug
 line consists of the
 .Li Debug
 keyword, followed by the name of the program to debug
 .Pq Nm sudo , Nm visudo , Nm sudoreplay ,
 the debug file name and a comma-separated list of debug flags.
 The debug flag syntax used by
 .Nm sudo
 and the
 .Em sudoers
 plugin is
 .Em subsystem Ns No @ Ns Em priority
 but the plugin is free to use a different format so long as it does
 not include a comma
 .Pq Ql \&, .
 .Pp
 For instance:
 .Bd -literal -offset indent
 Debug sudo /var/log/sudo_debug all@warn,plugin@info
 .Ed
 .Pp
 would log all debugging statements at the
 .Em warn
 level and higher in addition to those at the
 .Em info
 level for the plugin subsystem.
 .Pp
 Currently, only one
 .Li Debug
 entry per program is supported.
 The
 .Nm sudo
 .Li Debug
 entry is shared by the
 .Nm sudo
 front end,
 .Nm sudoedit
 and the plugins.
 A future release may add support for per-plugin
 .Li Debug
 lines and/or support for multiple debugging files for a single
 program.
 .Pp
 The priorities used by the
 .Nm sudo
 front end, in order of decreasing severity, are:
 .Em crit , err , warn , notice , diag , info , trace
 and
 .Em debug .
 Each priority, when specified, also includes all priorities higher
 than it.
 For example, a priority of
 .Em notice
 would include debug messages logged at
 .Em notice
 and higher.
 .Pp
 The following subsystems are used by the
 .Nm sudo
 front-end:
 .Bl -tag -width Fl
 .It Em all
 matches every subsystem
 .It Em args
 command line argument processing
 .It Em conv
 user conversation
 .It Em edit
 sudoedit
 .It Em exec
 command execution
 .It Em main
 .Nm sudo
 main function
 .It Em netif
 network interface handling
 .It Em pcomm
 communication with the plugin
 .It Em plugin
 plugin configuration
 .It Em pty
 pseudo-tty related code
 .It Em selinux
 SELinux-specific handling
 .It Em util
 utility functions
 .It Em utmp
 utmp handling
 .El
 .Sh EXIT VALUE
 Upon successful execution of a program, the exit status from
 .Em sudo
@@ -1112,20 +910,15 @@ To aid in debugging
 crashes, you may wish to re-enable core dumps by setting
 .Dq disable_coredump
 to false in the
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
 file as follows:
 .Bd -literal -offset indent
 Set disable_coredump false
 .Ed
 .Pp
-Note that by default, most operating systems disable core dumps
+See the
-from setuid programs, which includes
+.Xr sudo.conf @mansectform@
-.Nm sudo .
+manual for more information.
 To actually get a
 .Nm sudo
 core file you may need to enable core dumps for setuid processes.
 On BSD and Linux systems this is accomplished via the sysctl command,
 on Solaris the coreadm command can be used.
 .Sh ENVIRONMENT
 .Nm sudo
 utilizes the following environment variables.
@@ -1261,6 +1054,7 @@ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
 .Xr stat 2 ,
 .Xr login_cap 3 ,
 .Xr passwd @mansectform@ ,
 .Xr sudo.conf @mansectform@ ,
 .Xr sudoers @mansectform@ ,
 .Xr sudo_plugin @mansectsu@ ,
 .Xr sudoreplay @mansectsu@ ,
--- a/doc/sudo_plugin.cat
+++ b/doc/sudo_plugin.cat
@@ -5,11 +5,10 @@ NNAAMMEE
 DDEESSCCRRIIPPTTIIOONN
     Starting with version 1.8, ssuuddoo supports a plugin API for policy and
-     session logging.  By default, the _s_u_d_o_e_r_s policy plugin and an associated
+     session logging.  By default, the ssuuddooeerrss policy plugin and an associated
     I/O logging plugin are used.  Via the plugin API, ssuuddoo can be configured
     to use alternate policy and/or I/O logging plugins provided by third
-     parties.  The plugins to be used are specified via the _/_e_t_c_/_s_u_d_o_._c_o_n_f
+     parties.  The plugins to be used are specified in the sudo.conf(4) file.
     file.
     The API is versioned with a major and minor number.  The minor version
     number is incremented when additions are made.  The major number is
@@ -18,50 +17,11 @@ DDEESSCCRRIIPPTTIIOONN
     The plugin API is defined by the sudo_plugin.h header file.
   TThhee ssuuddoo..ccoonnff ffiillee
     The _/_e_t_c_/_s_u_d_o_._c_o_n_f file contains plugin configuration directives.  The
     primary keyword is the Plugin directive, which causes a plugin to be
     loaded.  It is always parsed in the ``C'' locale.
     A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e
     and the _p_a_t_h to the shared object containing the plugin.  The _s_y_m_b_o_l___n_a_m_e
     is the name of the struct policy_plugin or struct io_plugin in the plugin
     shared object.  The _p_a_t_h may be fully qualified or relative.  If not
     fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory.  Any
     additional parameters after the _p_a_t_h are passed as options to the
     plugin's ooppeenn() function.  Lines that don't begin with Plugin, Path,
     Debug or Set are silently ignored.
     The same shared object may contain multiple plugins, each with a
     different symbol name.  The shared object file must be owned by uid 0 and
     only writable by its owner.  Because of ambiguities that arise from
     composite policies, only a single policy plugin may be specified.  This
     limitation does not apply to I/O plugins.
     #
     # Default /etc/sudo.conf file
     #
     # Format:
     #   Plugin plugin_name plugin_path plugin_options ...
     #   Path askpass /path/to/askpass
     #   Path noexec /path/to/sudo_noexec.so
     #   Debug sudo /var/log/sudo_debug all@warn
     #   Set disable_coredump true
     #
     # The plugin_path is relative to /usr/local/libexec unless
     #   fully qualified.
     # The plugin_name corresponds to a global symbol in the plugin
     #   that contains the plugin interface structure.
     # The plugin_options are optional.
     #
     Plugin sudoers_policy sudoers.so
     Plugin sudoers_io sudoers.so
   PPoolliiccyy pplluuggiinn AAPPII
     A policy plugin must declare and populate a policy_plugin struct in the
     global scope.  This structure contains pointers to the functions that
     implement the ssuuddoo policy checks.  The name of the symbol should be
-     specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f along with a path to the plugin so that ssuuddoo
+     specified in sudo.conf(4) along with a path to the plugin so that ssuuddoo
     can load it.
     struct policy_plugin {
@@ -143,26 +103,14 @@ DDEESSCCRRIIPPTTIIOONN
                 debug_flags=string
                       A comma-separated list of debug flags that correspond
-                       to ssuuddoo's Debug entry in _/_e_t_c_/_s_u_d_o_._c_o_n_f, if there is
+                       to ssuuddoo's Debug entry in sudo.conf(4), if there is one.
-                       one.  The flags are passed to the plugin as they appear
+                       The flags are passed to the plugin as they appear in
-                       in _/_e_t_c_/_s_u_d_o_._c_o_n_f.  The syntax used by ssuuddoo and the
+                       sudo.conf(4).  The syntax used by ssuuddoo and the ssuuddooeerrss
-                       _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is
+                       plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to
-                       free to use a different format so long as it does not
+                       use a different format so long as it does not include a
-                       include a comma (`,').
+                       comma (`,').  There is not currently a way to specify a
-
+                       set of debug flags specific to the plugin--the flags
-                       For reference, the priorities supported by the ssuuddoo
+                       are shared by ssuuddoo and the plugin.
                       front end and _s_u_d_o_e_r_s are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e,
                       _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.
                       The following subsystems are defined: _m_a_i_n, _m_e_m_o_r_y,
                       _a_r_g_s, _e_x_e_c, _p_t_y, _u_t_m_p, _c_o_n_v, _p_c_o_m_m, _u_t_i_l, _l_i_s_t, _n_e_t_i_f,
                       _a_u_d_i_t, _e_d_i_t, _s_e_l_i_n_u_x, _l_d_a_p, _m_a_t_c_h, _p_a_r_s_e_r, _a_l_i_a_s,
                       _d_e_f_a_u_l_t_s, _a_u_t_h, _e_n_v, _l_o_g_g_i_n_g, _n_s_s, _r_b_t_r_e_e, _p_e_r_m_s,
                       _p_l_u_g_i_n.  The subsystem _a_l_l includes every subsystem.
                       There is not currently a way to specify a set of debug
                       flags specific to the plugin--the flags are shared by
                       ssuuddoo and the plugin.
                 debug_level=number
                       This setting has been deprecated in favor of
@@ -297,9 +245,9 @@ DDEESSCCRRIIPPTTIIOONN
                       version 1.2
                 tcpgid=int
-                       The ID of the forground process group associated with
+                       The ID of the foreground process group associated with
-                       the terminal device associcated with the ssuuddoo process
+                       the terminal device associated with the ssuuddoo process or
-                       or -1 if there is no terminal present.  Only available
+                       -1 if there is no terminal present.  Only available
                       starting with API version 1.2
                 user=string
@@ -682,7 +630,7 @@ DDEESSCCRRIIPPTTIIOONN
           int (*validate)(void);
           The vvaalliiddaattee() function is called when ssuuddoo is run with the --vv
-           flag.  For policy plugins such as _s_u_d_o_e_r_s that cache authentication
+           flag.  For policy plugins such as ssuuddooeerrss that cache authentication
           credentials, this function will validate and cache the credentials.
           The vvaalliiddaattee() function should be NULL if the plugin does not
@@ -697,7 +645,7 @@ DDEESSCCRRIIPPTTIIOONN
           void (*invalidate)(int remove);
           The iinnvvaalliiddaattee() function is called when ssuuddoo is called with the --kk
-           or --KK flag.  For policy plugins such as _s_u_d_o_e_r_s that cache
+           or --KK flag.  For policy plugins such as ssuuddooeerrss that cache
           authentication credentials, this function will invalidate the
           credentials.  If the _r_e_m_o_v_e flag is set, the plugin may remove the
           credentials instead of simply invalidating them.
@@ -1282,17 +1230,16 @@ DDEESSCCRRIIPPTTIIOONN
     Unlike, SUDO_CONV_INFO_MSG and Dv SUDO_CONV_ERROR_MSG , messages sent
     with the SUDO_CONV_DEBUG_MSG _m_s_g___t_y_p_e are not directly user-visible.
     Instead, they are logged to the file specified in the Debug statement (if
-     any) in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
+     any) in the sudo.conf(4).  file.  This allows a plugin to log debugging
-
+     information and is intended to be used in conjunction with the
-     file.  This allows a plugin to log debugging information and is intended
+     _d_e_b_u_g___f_l_a_g_s setting.
     to be used in conjunction with the _d_e_b_u_g___f_l_a_g_s setting.
     See the sample plugin for an example of the ccoonnvveerrssaattiioonn() function
     usage.
   SSuuddooeerrss ggrroouupp pplluuggiinn AAPPII
-     The _s_u_d_o_e_r_s module supports a plugin interface to allow non-Unix group
+     The ssuuddooeerrss plugin supports its own plugin interface to allow non-Unix
-     lookups.  This can be used to query a group source other than the
+     group lookups.  This can be used to query a group source other than the
     standard Unix group database.  A sample group plugin is bundled with ssuuddoo
     that implements file-based lookups.  Third party group plugins include a
     QAS AD plugin available from Quest Software.
@@ -1315,7 +1262,7 @@ DDEESSCCRRIIPPTTIIOONN
     version
           The version field should be set to GROUP_API_VERSION.
-           This allows _s_u_d_o_e_r_s to determine the API version the group plugin
+           This allows ssuuddooeerrss to determine the API version the group plugin
           was built against.
     init
@@ -1332,9 +1279,9 @@ DDEESSCCRRIIPPTTIIOONN
           The function arguments are as follows:
           version
-                 The version passed in by _s_u_d_o_e_r_s allows the plugin to
+                 The version passed in by ssuuddooeerrss allows the plugin to
                 determine the major and minor version number of the group
-                 plugin API supported by _s_u_d_o_e_r_s.
+                 plugin API supported by ssuuddooeerrss.
           plugin_printf
                 A pointer to a pprriinnttff()-style function that may be used to
@@ -1349,7 +1296,7 @@ DDEESSCCRRIIPPTTIIOONN
     cleanup
           void (*cleanup)();
-           The cclleeaannuupp() function is called when _s_u_d_o_e_r_s has finished its
+           The cclleeaannuupp() function is called when ssuuddooeerrss has finished its
           group checks.  The plugin should free any memory it has allocated
           and close open file handles.
@@ -1401,7 +1348,7 @@ PPLLUUGGIINN AAPPII CCHHAANNGGEELLOOGG
     Version 1.2
           The Policy and I/O logging plugins' ooppeenn() functions are now passed
-           a list of plugin options if any are specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f.
+           a list of plugin parameters if any are specified in sudo.conf(4).
           A simple hooks API has been introduced to allow plugins to hook in
           to the system's environment handling functions.
@@ -1419,7 +1366,7 @@ PPLLUUGGIINN AAPPII CCHHAANNGGEELLOOGG
           common signals while the plugin functions are run.
 SSEEEE AALLSSOO
-     sudoers(4), sudo(1m)
+     sudo.conf(4), sudoers(4), sudo(1m)
 BBUUGGSS
     If you feel you have found a bug in ssuuddoo, please submit a bug report at
@@ -1437,4 +1384,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
     complete details.
-Sudo 1.8.7                     Janurary 11, 2013                    Sudo 1.8.7
+Sudo 1.8.7                     February 5, 2013                     Sudo 1.8.7
--- a/doc/sudo_plugin.man.in
+++ b/doc/sudo_plugin.man.in
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDO_PLUGIN" "5" "Janurary 11, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
+.TH "SUDO_PLUGIN" "5" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -28,14 +28,14 @@ Starting with version 1.8,
 supports a plugin API
 for policy and session logging.
 By default, the
-\fIsudoers\fR
+\fBsudoers\fR
 policy plugin and an associated I/O logging plugin are used.
 Via the plugin API,
 \fBsudo\fR
 can be configured to use alternate policy and/or I/O logging plugins
 provided by third parties.
-The plugins to be used are specified via the
+The plugins to be used are specified in the
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
 file.
 .PP
 The API is versioned with a major and minor number.
@@ -47,81 +47,6 @@ major version matches.
 The plugin API is defined by the
 \fRsudo_plugin.h\fR
 header file.
 .SS "The sudo.conf file"
 The
 \fI@sysconfdir@/sudo.conf\fR
 file contains plugin configuration directives.
 The primary keyword is the
 \fRPlugin\fR
 directive, which causes a plugin to be loaded.
 It is always parsed in the
 ``\fRC\fR''
 locale.
 .PP
 A
 \fRPlugin\fR
 line consists of the
 \fRPlugin\fR
 keyword, followed by the
 \fIsymbol_name\fR
 and the
 \fIpath\fR
 to the shared object containing the plugin.
 The
 \fIsymbol_name\fR
 is the name of the
 \fRstruct policy_plugin\fR
 or
 \fRstruct io_plugin\fR
 in the plugin shared object.
 The
 \fIpath\fR
 may be fully qualified or relative.
 If not fully qualified it is relative to the
 \fI@PLUGINDIR@\fR
 directory.
 Any additional parameters after the
 \fIpath\fR
 are passed as options to the plugin's
 \fBopen\fR()
 function.
 Lines that don't begin with
 \fRPlugin\fR,
 \fRPath\fR,
 \fRDebug\fR
 or
 \fRSet\fR
 are silently ignored.
 .PP
 The same shared object may contain multiple plugins, each with a
 different symbol name.
 The shared object file must be owned by uid 0 and only writable by its owner.
 Because of ambiguities that arise from composite policies, only a single
 policy plugin may be specified.
 This limitation does not apply to I/O plugins.
 .nf
 .sp
 .RS 0n
 #
 # Default @sysconfdir@/sudo.conf file
 #
 # Format:
 #   Plugin plugin_name plugin_path plugin_options ...
 #   Path askpass /path/to/askpass
 #   Path noexec /path/to/sudo_noexec.so
 #   Debug sudo /var/log/sudo_debug all@warn
 #   Set disable_coredump true
 #
 # The plugin_path is relative to @PLUGINDIR@ unless
 #   fully qualified.
 # The plugin_name corresponds to a global symbol in the plugin
 #   that contains the plugin interface structure.
 # The plugin_options are optional.
 #
 Plugin sudoers_policy sudoers.so
 Plugin sudoers_io sudoers.so
 .RE
 .fi
 .SS "Policy plugin API"
 A policy plugin must declare and populate a
 \fRpolicy_plugin\fR
@@ -130,7 +55,7 @@ This structure contains pointers to the functions that implement the
 \fBsudo\fR
 policy checks.
 The name of the symbol should be specified in
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
 along with a path to the plugin so that
 \fBsudo\fR
 can load it.
@@ -260,66 +185,19 @@ A comma-separated list of debug flags that correspond to
 \fBsudo\fR's
 \fRDebug\fR
 entry in
-\fI@sysconfdir@/sudo.conf\fR,
+sudo.conf(@mansectform@),
 if there is one.
 The flags are passed to the plugin as they appear in
-\fI@sysconfdir@/sudo.conf\fR.
+sudo.conf(@mansectform@).
 The syntax used by
 \fBsudo\fR
 and the
-\fIsudoers\fR
+\fBsudoers\fR
 plugin is
 \fIsubsystem\fR@\fIpriority\fR
 but the plugin is free to use a different
 format so long as it does not include a comma
 (`,\&').
 .sp
 For reference, the priorities supported by the
 \fBsudo\fR
 front end and
 \fIsudoers\fR
 are:
 \fIcrit\fR,
 \fIerr\fR,
 \fIwarn\fR,
 \fInotice\fR,
 \fIdiag\fR,
 \fIinfo\fR,
 \fItrace\fR
 and
 \fIdebug\fR.
 .sp
 The following subsystems are defined:
 \fImain\fR,
 \fImemory\fR,
 \fIargs\fR,
 \fIexec\fR,
 \fIpty\fR,
 \fIutmp\fR,
 \fIconv\fR,
 \fIpcomm\fR,
 \fIutil\fR,
 \fIlist\fR,
 \fInetif\fR,
 \fIaudit\fR,
 \fIedit\fR,
 \fIselinux\fR,
 \fIldap\fR,
 \fImatch\fR,
 \fIparser\fR,
 \fIalias\fR,
 \fIdefaults\fR,
 \fIauth\fR,
 \fIenv\fR,
 \fIlogging\fR,
 \fInss\fR,
 \fIrbtree\fR,
 \fIperms\fR,
 \fIplugin\fR.
 The subsystem
 \fIall\fR
 includes every subsystem.
 .sp
 There is not currently a way to specify a set of debug flags specific
 to the plugin--the flags are shared by
 \fBsudo\fR
@@ -542,8 +420,8 @@ to.
 Only available starting with API version 1.2
 .TP 6n
 tcpgid=int
-The ID of the forground process group associated with the terminal
+The ID of the foreground process group associated with the terminal
-device associcated with the
+device associated with the
 \fBsudo\fR
 process or \-1 if there is no
 terminal present.
@@ -1178,7 +1056,7 @@ is run with the
 \fB\-v\fR
 flag.
 For policy plugins such as
-\fIsudoers\fR
+\fBsudoers\fR
 that cache
 authentication credentials, this function will validate and cache
 the credentials.
@@ -1222,7 +1100,7 @@ or
 \fB\-K\fR
 flag.
 For policy plugins such as
-\fIsudoers\fR
+\fBsudoers\fR
 that
 cache authentication credentials, this function will invalidate the
 credentials.
@@ -2359,8 +2237,7 @@ user-visible.
 Instead, they are logged to the file specified in the
 \fRDebug\fR
 statement (if any) in the
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@).
 .PP
 file.
 This allows a plugin to log debugging information and is intended
 to be used in conjunction with the
@@ -2372,8 +2249,8 @@ See the sample plugin for an example of the
 function usage.
 .SS "Sudoers group plugin API"
 The
-\fIsudoers\fR
+\fBsudoers\fR
-module supports a plugin interface to allow non-Unix
+plugin supports its own plugin interface to allow non-Unix
 group lookups.
 This can be used to query a group source other than the standard Unix
 group database.
@@ -2411,7 +2288,7 @@ The
 field should be set to GROUP_API_VERSION.
 .sp
 This allows
-\fIsudoers\fR
+\fBsudoers\fR
 to determine the API version the group plugin
 was built against.
 .TP 6n
@@ -2443,10 +2320,10 @@ The function arguments are as follows:
 .TP 6n
 version
 The version passed in by
-\fIsudoers\fR
+\fBsudoers\fR
 allows the plugin to determine the
 major and minor version number of the group plugin API supported by
-\fIsudoers\fR.
+\fBsudoers\fR.
 .TP 6n
 plugin_printf
 A pointer to a
@@ -2480,7 +2357,7 @@ void (*cleanup)();
 The
 \fBcleanup\fR()
 function is called when
-\fIsudoers\fR
+\fBsudoers\fR
 has finished its
 group checks.
 The plugin should free any memory it has allocated and close open file handles.
@@ -2567,8 +2444,8 @@ Version 1.2
 The Policy and I/O logging plugins'
 \fBopen\fR()
 functions are now passed
-a list of plugin options if any are specified in
+a list of plugin parameters if any are specified in
-\fI@sysconfdir@/sudo.conf\fR.
+sudo.conf(@mansectform@).
 .sp
 A simple hooks API has been introduced to allow plugins to hook in to the
 system's environment handling functions.
@@ -2592,6 +2469,7 @@ The
 front end now installs default signal handlers to trap common signals
 while the plugin functions are run.
 .SH "SEE ALSO"
 sudo.conf(@mansectform@),
 sudoers(@mansectform@),
 sudo(@mansectsu@)
 .SH "BUGS"
--- a/doc/sudo_plugin.mdoc.in
+++ b/doc/sudo_plugin.mdoc.in
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd Janurary 11, 2013
+.Dd February 5, 2013
 .Dt SUDO_PLUGIN @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -26,14 +26,14 @@ Starting with version 1.8,
 supports a plugin API
 for policy and session logging.
 By default, the
-.Em sudoers
+.Nm sudoers
 policy plugin and an associated I/O logging plugin are used.
 Via the plugin API,
 .Nm sudo
 can be configured to use alternate policy and/or I/O logging plugins
 provided by third parties.
-The plugins to be used are specified via the
+The plugins to be used are specified in the
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
 file.
 .Pp
 The API is versioned with a major and minor number.
@@ -45,78 +45,6 @@ major version matches.
 The plugin API is defined by the
 .Li sudo_plugin.h
 header file.
 .Ss The sudo.conf file
 The
 .Pa @sysconfdir@/sudo.conf
 file contains plugin configuration directives.
 The primary keyword is the
 .Li Plugin
 directive, which causes a plugin to be loaded.
 It is always parsed in the
 .Dq Li C
 locale.
 .Pp
 A
 .Li Plugin
 line consists of the
 .Li Plugin
 keyword, followed by the
 .Em symbol_name
 and the
 .Em path
 to the shared object containing the plugin.
 The
 .Em symbol_name
 is the name of the
 .Li struct policy_plugin
 or
 .Li struct io_plugin
 in the plugin shared object.
 The
 .Em path
 may be fully qualified or relative.
 If not fully qualified it is relative to the
 .Pa @PLUGINDIR@
 directory.
 Any additional parameters after the
 .Em path
 are passed as options to the plugin's
 .Fn open
 function.
 Lines that don't begin with
 .Li Plugin ,
 .Li Path ,
 .Li Debug
 or
 .Li Set
 are silently ignored.
 .Pp
 The same shared object may contain multiple plugins, each with a
 different symbol name.
 The shared object file must be owned by uid 0 and only writable by its owner.
 Because of ambiguities that arise from composite policies, only a single
 policy plugin may be specified.
 This limitation does not apply to I/O plugins.
 .Bd -literal
 #
 # Default @sysconfdir@/sudo.conf file
 #
 # Format:
 #   Plugin plugin_name plugin_path plugin_options ...
 #   Path askpass /path/to/askpass
 #   Path noexec /path/to/sudo_noexec.so
 #   Debug sudo /var/log/sudo_debug all@warn
 #   Set disable_coredump true
 #
 # The plugin_path is relative to @PLUGINDIR@ unless
 #   fully qualified.
 # The plugin_name corresponds to a global symbol in the plugin
 #   that contains the plugin interface structure.
 # The plugin_options are optional.
 #
 Plugin sudoers_policy sudoers.so
 Plugin sudoers_io sudoers.so
 .Ed
 .Ss Policy plugin API
 A policy plugin must declare and populate a
 .Li policy_plugin
@@ -125,7 +53,7 @@ This structure contains pointers to the functions that implement the
 .Nm sudo
 policy checks.
 The name of the symbol should be specified in
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
 along with a path to the plugin so that
 .Nm sudo
 can load it.
@@ -243,66 +171,19 @@ A comma-separated list of debug flags that correspond to
 .Nm sudo Ns No 's
 .Li Debug
 entry in
-.Pa @sysconfdir@/sudo.conf ,
+.Xr sudo.conf @mansectform@ ,
 if there is one.
 The flags are passed to the plugin as they appear in
-.Pa @sysconfdir@/sudo.conf .
+.Xr sudo.conf @mansectform@ .
 The syntax used by
 .Nm sudo
 and the
-.Em sudoers
+.Nm sudoers
 plugin is
 .Em subsystem Ns No @ Ns Em priority
 but the plugin is free to use a different
 format so long as it does not include a comma
 .Pq Ql ,\& .
 .Pp
 For reference, the priorities supported by the
 .Nm sudo
 front end and
 .Em sudoers
 are:
 .Em crit ,
 .Em err ,
 .Em warn ,
 .Em notice ,
 .Em diag ,
 .Em info ,
 .Em trace
 and
 .Em debug .
 .Pp
 The following subsystems are defined:
 .Em main ,
 .Em memory ,
 .Em args ,
 .Em exec ,
 .Em pty ,
 .Em utmp ,
 .Em conv ,
 .Em pcomm ,
 .Em util ,
 .Em list ,
 .Em netif ,
 .Em audit ,
 .Em edit ,
 .Em selinux ,
 .Em ldap ,
 .Em match ,
 .Em parser ,
 .Em alias ,
 .Em defaults ,
 .Em auth ,
 .Em env ,
 .Em logging ,
 .Em nss ,
 .Em rbtree ,
 .Em perms ,
 .Em plugin .
 The subsystem
 .Em all
 includes every subsystem.
 .Pp
 There is not currently a way to specify a set of debug flags specific
 to the plugin--the flags are shared by
 .Nm sudo
@@ -496,8 +377,8 @@ process belongs
 to.
 Only available starting with API version 1.2
 .It tcpgid=int
-The ID of the forground process group associated with the terminal
+The ID of the foreground process group associated with the terminal
-device associcated with the
+device associated with the
 .Nm sudo
 process or \-1 if there is no
 terminal present.
@@ -1038,7 +919,7 @@ is run with the
 .Fl v
 flag.
 For policy plugins such as
-.Em sudoers
+.Nm sudoers
 that cache
 authentication credentials, this function will validate and cache
 the credentials.
@@ -1074,7 +955,7 @@ or
 .Fl K
 flag.
 For policy plugins such as
-.Em sudoers
+.Nm sudoers
 that
 cache authentication credentials, this function will invalidate the
 credentials.
@@ -2047,8 +1928,7 @@ user-visible.
 Instead, they are logged to the file specified in the
 .Li Debug
 statement (if any) in the
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@ .
 .Pp
 file.
 This allows a plugin to log debugging information and is intended
 to be used in conjunction with the
@@ -2060,8 +1940,8 @@ See the sample plugin for an example of the
 function usage.
 .Ss Sudoers group plugin API
 The
-.Em sudoers
+.Nm sudoers
-module supports a plugin interface to allow non-Unix
+plugin supports its own plugin interface to allow non-Unix
 group lookups.
 This can be used to query a group source other than the standard Unix
 group database.
@@ -2096,7 +1976,7 @@ The
 field should be set to GROUP_API_VERSION.
 .Pp
 This allows
-.Em sudoers
+.Nm sudoers
 to determine the API version the group plugin
 was built against.
 .It init
@@ -2124,10 +2004,10 @@ The function arguments are as follows:
 .Bl -tag -width 4n
 .It version
 The version passed in by
-.Em sudoers
+.Nm sudoers
 allows the plugin to determine the
 major and minor version number of the group plugin API supported by
-.Em sudoers .
+.Nm sudoers .
 .It plugin_printf
 A pointer to a
 .Fn printf Ns No -style
@@ -2153,7 +2033,7 @@ void (*cleanup)();
 The
 .Fn cleanup
 function is called when
-.Em sudoers
+.Nm sudoers
 has finished its
 group checks.
 The plugin should free any memory it has allocated and close open file handles.
@@ -2223,8 +2103,8 @@ list as an argument.
 The Policy and I/O logging plugins'
 .Fn open
 functions are now passed
-a list of plugin options if any are specified in
+a list of plugin parameters if any are specified in
-.Pa @sysconfdir@/sudo.conf .
+.Xr sudo.conf @mansectform@ .
 .Pp
 A simple hooks API has been introduced to allow plugins to hook in to the
 system's environment handling functions.
@@ -2248,6 +2128,7 @@ front end now installs default signal handlers to trap common signals
 while the plugin functions are run.
 .El
 .Sh SEE ALSO
 .Xr sudo.conf @mansectform@ ,
 .Xr sudoers @mansectform@ ,
 .Xr sudo @mansectsu@
 .Sh BUGS
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -1,15 +1,57 @@
 SUDOERS(4)                    Programmer's Manual                   SUDOERS(4)
 NNAAMMEE
-     ssuuddooeerrss - default sudo security policy module
+     ssuuddooeerrss - default sudo security policy plugin
 DDEESSCCRRIIPPTTIIOONN
-     The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges.  It is the
+     The _s_u_d_o_e_r_s policy plugin determines a user's ssuuddoo privileges.  It is the
     default ssuuddoo policy plugin.  The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s
     file or, optionally in LDAP.  The policy format is described in detail in
     the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section.  For information on storing _s_u_d_o_e_r_s
     policy information in LDAP, please see sudoers.ldap(4).
   CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss
     ssuuddoo consults the sudo.conf(4) file to determine which policy and and I/O
     logging plugins to load.  If no sudo.conf(4) file is present, or if it
     contains no Plugin lines, ssuuddooeerrss will be used for policy decisions and
     I/O logging.  To explicitly configure sudo.conf(4) to use the ssuuddooeerrss
     plugin, the following configuration can be used.
           Plugin policy_plugin sudoers.so
           Plugin io_plugin sudoers.so
     Starting with ssuuddoo 1.8.5, it is possible to specify optional arguments to
     the ssuuddooeerrss plugin in the sudo.conf(4) file.  These arguments, if
     present, should be listed after the path to the plugin (i.e. after
     _s_u_d_o_e_r_s_._s_o).  Multiple arguments may be specified, separated by white
     space.  For example:
           Plugin sudoers_policy sudoers.so sudoers_mode=0400
     The following plugin arguments are supported:
     sudoers_file=pathname
               The _s_u_d_o_e_r_s___f_i_l_e arguments can be used to override the default
               path to the _s_u_d_o_e_r_s file.
     sudoers_uid=uid
               The _s_u_d_o_e_r_s___u_i_d arguments can be used to override the default
               owner of the sudoers file.  It should be specified as a numeric
               user ID.
     sudoers_gid=gid
               The _s_u_d_o_e_r_s___g_i_d arguments can be used to override the default
               group of the sudoers file.  It must be specified as a numeric
               group ID (not a group name).
     sudoers_mode=mode
               The _s_u_d_o_e_r_s___m_o_d_e arguments can be used to override the default
               file mode for the sudoers file.  It should be specified as an
               octal value.
     For more information on configuring sudo.conf(4), please refer to its
     manual.
   AAuutthheennttiiccaattiioonn aanndd llooggggiinngg
     The _s_u_d_o_e_r_s security policy requires that most users authenticate
     themselves before they can use ssuuddoo.  A password is not required if the
@@ -1253,9 +1295,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
                       escape %h will expand to the host name of the machine.
                       Default is ``*** SECURITY information for %h ***''.
-     noexec_file       This option is no longer supported.  The path to the
+     noexec_file       As of ssuuddoo version 1.8.1 this option is no longer
-                       noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
+                       supported.  The path to the noexec file should now be
-                       file.
+                       set in the sudo.conf(4) file.
     passprompt        The default prompt to use when asking for a password;
                       can be overridden via the --pp option or the SUDO_PROMPT
@@ -1600,9 +1642,9 @@ LLOOGG FFOORRMMAATT
        when the _s_u_d_o_e_r_s file is located on a remote file system that maps
        user ID 0 to a different value.  Normally, ssuuddooeerrss tries to open
        _s_u_d_o_e_r_s using group permissions to avoid this problem.  Consider
-        changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like
+        either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument
-        ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s
+        like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s
-        file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
+        file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file.
     unable to stat /etc/sudoers
        The _/_e_t_c_/_s_u_d_o_e_r_s file is missing.
@@ -1614,21 +1656,21 @@ LLOOGG FFOORRMMAATT
     /etc/sudoers is owned by uid N, should be 0
        The _s_u_d_o_e_r_s file has the wrong owner.  If you wish to change the
        _s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the
-        user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin line in the
+        user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the
-        _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
+        sudo.conf(4) file.
     /etc/sudoers is world writable
        The permissions on the _s_u_d_o_e_r_s file allow all users to write to it.
        The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is
        0440 (readable by owner and group, writable by none).  The default
        mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss
-        plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
+        Plugin line in the sudo.conf(4) file.
     /etc/sudoers is owned by gid N, should be 1
        The _s_u_d_o_e_r_s file has the wrong group ownership.  If you wish to change
        the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where
-        `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin
+        `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin
-        line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
+        line in the sudo.conf(4) file.
     unable to open /var/adm/sudo/username/ttyname
        _s_u_d_o_e_r_s was unable to read or create the user's time stamp file.
@@ -1668,110 +1710,6 @@ LLOOGG FFOORRMMAATT
          _l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap
          will be disabled.
 SSUUDDOO..CCOONNFF
     The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end will
     load.  If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no Plugin
     lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O logging, which
     corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
     #
     # Default /etc/sudo.conf file
     #
     # Format:
     #   Plugin plugin_name plugin_path plugin_options ...
     #   Path askpass /path/to/askpass
     #   Path noexec /path/to/sudo_noexec.so
     #   Debug sudo /var/log/sudo_debug all@warn
     #   Set disable_coredump true
     #
     # The plugin_path is relative to /usr/local/libexec unless
     #   fully qualified.
     # The plugin_name corresponds to a global symbol in the plugin
     #   that contains the plugin interface structure.
     # The plugin_options are optional.
     #
     Plugin policy_plugin sudoers.so
     Plugin io_plugin sudoers.so
   PPlluuggiinn ooppttiioonnss
     Starting with ssuuddoo 1.8.5, it is possible to pass options to the _s_u_d_o_e_r_s
     plugin.  Options may be listed after the path to the plugin (i.e. after
     _s_u_d_o_e_r_s_._s_o); multiple options should be space-separated.  For example:
     Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
     The following plugin options are supported:
     sudoers_file=pathname
               The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default
               path to the _s_u_d_o_e_r_s file.
     sudoers_uid=uid
               The _s_u_d_o_e_r_s___u_i_d option can be used to override the default
               owner of the sudoers file.  It should be specified as a numeric
               user ID.
     sudoers_gid=gid
               The _s_u_d_o_e_r_s___g_i_d option can be used to override the default
               group of the sudoers file.  It should be specified as a numeric
               group ID.
     sudoers_mode=mode
               The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default
               file mode for the sudoers file.  It should be specified as an
               octal value.
   DDeebbuugg ffllaaggss
     Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin support a debugging
     framework that can help track down what the plugin is doing internally if
     there is a problem.  This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as
     described in sudo(1m).
     The _s_u_d_o_e_r_s plugin uses the same debug flag format as the ssuuddoo front-end:
     _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
     The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are:
     _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.  Each priority,
     when specified, also includes all priorities higher than it.  For
     example, a priority of _n_o_t_i_c_e would include debug messages logged at
     _n_o_t_i_c_e and higher.
     The following subsystems are used by _s_u_d_o_e_r_s:
     _a_l_i_a_s     User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
     _a_l_l       matches every subsystem
     _a_u_d_i_t     BSM and Linux audit code
     _a_u_t_h      user authentication
     _d_e_f_a_u_l_t_s  _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
     _e_n_v       environment handling
     _l_d_a_p      LDAP-based sudoers
     _l_o_g_g_i_n_g   logging support
     _m_a_t_c_h     matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
     _n_e_t_i_f     network interface handling
     _n_s_s       network service switch handling in _s_u_d_o_e_r_s
     _p_a_r_s_e_r    _s_u_d_o_e_r_s file parsing
     _p_e_r_m_s     permission setting
     _p_l_u_g_i_n    The equivalent of _m_a_i_n for the plugin.
     _p_t_y       pseudo-tty related code
     _r_b_t_r_e_e    redblack tree internals
     _u_t_i_l      utility functions
 FFIILLEESS
     _/_e_t_c_/_s_u_d_o_._c_o_n_f            Sudo front end configuration
@@ -2100,8 +2038,64 @@ SSEECCUURRIITTYY NNOOTTEESS
     stamp file is stale and will ignore it.  Administrators should not rely
     on this feature as it is not universally available.
 DDEEBBUUGGGGIINNGG
     Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible
     debugging framework that can help track down what the plugin is doing
     internally if there is a problem.  This can be configured in the
     sudo.conf(4) file.
     The ssuuddooeerrss plugin uses the same debug flag format as the ssuuddoo front-end:
     _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
     The priorities used by ssuuddooeerrss, in order of decreasing severity, are:
     _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.  Each priority,
     when specified, also includes all priorities higher than it.  For
     example, a priority of _n_o_t_i_c_e would include debug messages logged at
     _n_o_t_i_c_e and higher.
     The following subsystems are used by the ssuuddooeerrss plugin:
     _a_l_i_a_s     User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
     _a_l_l       matches every subsystem
     _a_u_d_i_t     BSM and Linux audit code
     _a_u_t_h      user authentication
     _d_e_f_a_u_l_t_s  _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
     _e_n_v       environment handling
     _l_d_a_p      LDAP-based sudoers
     _l_o_g_g_i_n_g   logging support
     _m_a_t_c_h     matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
     _n_e_t_i_f     network interface handling
     _n_s_s       network service switch handling in _s_u_d_o_e_r_s
     _p_a_r_s_e_r    _s_u_d_o_e_r_s file parsing
     _p_e_r_m_s     permission setting
     _p_l_u_g_i_n    The equivalent of _m_a_i_n for the plugin.
     _p_t_y       pseudo-tty related code
     _r_b_t_r_e_e    redblack tree internals
     _u_t_i_l      utility functions
     For example:
     Debug sudo /var/log/sudo_debug match@info,nss@info
     For more information, see the sudo.conf(4) manual.
 SSEEEE AALLSSOO
-     ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
+     ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4),
     sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
 CCAAVVEEAATTSS
@@ -2131,4 +2125,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
     complete details.
-Sudo 1.8.7                     January 27, 2013                     Sudo 1.8.7
+Sudo 1.8.7                     February 5, 2013                     Sudo 1.8.7
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -2,7 +2,7 @@
 .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
 .\"
 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"	Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -21,16 +21,16 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "@mansectsu@" "January 27, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
+.TH "SUDOERS" "@mansectsu@" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
 \fBsudoers\fR
-\- default sudo security policy module
+\- default sudo security policy plugin
 .SH "DESCRIPTION"
 The
 \fIsudoers\fR
-policy module determines a user's
+policy plugin determines a user's
 \fBsudo\fR
 privileges.
 It is the default
@@ -48,6 +48,81 @@ For information on storing
 policy information
 in LDAP, please see
 sudoers.ldap(@mansectform@).
 .SS "Configuring sudo.conf for sudoers"
 \fBsudo\fR
 consults the
 sudo.conf(@mansectform@)
 file to determine which policy and and I/O logging plugins to load.
 If no
 sudo.conf(@mansectform@)
 file is present, or if it contains no
 \fRPlugin\fR
 lines,
 \fBsudoers\fR
 will be used for policy decisions and I/O logging.
 To explicitly configure
 sudo.conf(@mansectform@)
 to use the
 \fBsudoers\fR
 plugin, the following configuration can be used.
 .nf
 .sp
 .RS 6n
 Plugin policy_plugin sudoers.so
 Plugin io_plugin sudoers.so
 .RE
 .fi
 .PP
 Starting with
 \fBsudo\fR
 1.8.5, it is possible to specify optional arguments to the
 \fBsudoers\fR
 plugin in the
 sudo.conf(@mansectform@)
 file.
 These arguments, if present, should be listed after the path to the plugin
 (i.e.\& after
 \fIsudoers.so\fR).
 Multiple arguments may be specified, separated by white space.
 For example:
 .nf
 .sp
 .RS 6n
 Plugin sudoers_policy sudoers.so sudoers_mode=0400
 .RE
 .fi
 .PP
 The following plugin arguments are supported:
 .TP 10n
 sudoers_file=pathname
 The
 \fIsudoers_file\fR
 arguments can be used to override the default path
 to the
 \fIsudoers\fR
 file.
 .TP 10n
 sudoers_uid=uid
 The
 \fIsudoers_uid\fR
 arguments can be used to override the default owner of the sudoers file.
 It should be specified as a numeric user ID.
 .TP 10n
 sudoers_gid=gid
 The
 \fIsudoers_gid\fR
 arguments can be used to override the default group of the sudoers file.
 It must be specified as a numeric group ID (not a group name).
 .TP 10n
 sudoers_mode=mode
 The
 \fIsudoers_mode\fR
 arguments can be used to override the default file mode for the sudoers file.
 It should be specified as an octal value.
 .PP
 For more information on configuring
 sudo.conf(@mansectform@),
 please refer to its manual.
 .SS "Authentication and logging"
 The
 \fIsudoers\fR
@@ -2652,9 +2727,11 @@ Default is
 ``\fR@mailsub@\fR''.
 .TP 18n
 noexec_file
-This option is no longer supported.
+As of
 \fBsudo\fR
 version 1.8.1 this option is no longer supported.
 The path to the noexec file should now be set in the
-\fI@sysconfdir@/sudo.conf\fR
+sudo.conf(@mansectform@)
 file.
 .TP 18n
 passprompt
@@ -3317,18 +3394,19 @@ Normally,
 tries to open
 \fIsudoers\fR
 using group permissions to avoid this problem.
-Consider changing the ownership of
+Consider either changing the ownership of
 \fI@sysconfdir@/sudoers\fR
-by adding an option like
+or adding an argument like
 ``sudoers_uid=N''
 (where
 `N'
 is the user ID that owns the
 \fIsudoers\fR
-file) to the
+file) to the end of the
 \fBsudoers\fR
-plugin line in the
+\fRPlugin\fR
-\fI@sysconfdir@/sudo.conf\fR
+line in the
 sudo.conf(@mansectform@)
 file.
 .TP 3n
 unable to stat @sysconfdir@/sudoers
@@ -3355,8 +3433,9 @@ is the user ID that owns the
 \fIsudoers\fR
 file) to the
 \fBsudoers\fR
-plugin line in the
+\fRPlugin\fR
-\fI@sysconfdir@/sudo.conf\fR
+line in the
 sudo.conf(@mansectform@)
 file.
 .TP 3n
@sysconfdir@/sudoers is world writable
@@ -3371,8 +3450,9 @@ The default mode may be changed via the
 ``sudoers_mode''
 option to the
 \fBsudoers\fR
-plugin line in the
+\fRPlugin\fR
-\fI@sysconfdir@/sudo.conf\fR
+line in the
 sudo.conf(@mansectform@)
 file.
 .TP 3n
@sysconfdir@/sudoers is owned by gid N, should be 1
@@ -3389,8 +3469,9 @@ is the group ID that owns the
 \fIsudoers\fR
 file) to the
 \fBsudoers\fR
-plugin line in the
+\fRPlugin\fR
-\fI@sysconfdir@/sudo.conf\fR
+line in the
 sudo.conf(@mansectform@)
 file.
 .TP 3n
 unable to open @timedir@/username/ttyname
@@ -3470,193 +3551,6 @@ If the
 option is set to 0 (or negated with a
 `\&!'),
 word wrap will be disabled.
 .SH "SUDO.CONF"
 The
 \fI@sysconfdir@/sudo.conf\fR
 file determines which plugins the
 \fBsudo\fR
 front end will load.
 If no
 \fI@sysconfdir@/sudo.conf\fR
 file
 is present, or it contains no
 \fRPlugin\fR
 lines,
 \fBsudo\fR
 will use the
 \fIsudoers\fR
 security policy and I/O logging, which corresponds to the following
 \fI@sysconfdir@/sudo.conf\fR
 file.
 .nf
 .sp
 .RS 0n
 #
 # Default @sysconfdir@/sudo.conf file
 #
 # Format:
 #   Plugin plugin_name plugin_path plugin_options ...
 #   Path askpass /path/to/askpass
 #   Path noexec /path/to/sudo_noexec.so
 #   Debug sudo /var/log/sudo_debug all@warn
 #   Set disable_coredump true
 #
 # The plugin_path is relative to @PLUGINDIR@ unless
 #   fully qualified.
 # The plugin_name corresponds to a global symbol in the plugin
 #   that contains the plugin interface structure.
 # The plugin_options are optional.
 #
 Plugin policy_plugin sudoers.so
 Plugin io_plugin sudoers.so
 .RE
 .fi
 .SS "Plugin options"
 Starting with
 \fBsudo\fR
 1.8.5, it is possible to pass options to the
 \fIsudoers\fR
 plugin.
 Options may be listed after the path to the plugin (i.e.\& after
 \fIsudoers.so\fR);
 multiple options should be space-separated.
 For example:
 .nf
 .sp
 .RS 0n
 Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
 .RE
 .fi
 .PP
 The following plugin options are supported:
 .TP 10n
 sudoers_file=pathname
 The
 \fIsudoers_file\fR
 option can be used to override the default path
 to the
 \fIsudoers\fR
 file.
 .TP 10n
 sudoers_uid=uid
 The
 \fIsudoers_uid\fR
 option can be used to override the default owner of the sudoers file.
 It should be specified as a numeric user ID.
 .TP 10n
 sudoers_gid=gid
 The
 \fIsudoers_gid\fR
 option can be used to override the default group of the sudoers file.
 It should be specified as a numeric group ID.
 .TP 10n
 sudoers_mode=mode
 The
 \fIsudoers_mode\fR
 option can be used to override the default file mode for the sudoers file.
 It should be specified as an octal value.
 .SS "Debug flags"
 Versions 1.8.4 and higher of the
 \fIsudoers\fR
 plugin support a debugging framework that can help track down what the
 plugin is doing internally if there is a problem.
 This can be configured in the
 \fI@sysconfdir@/sudo.conf\fR
 file as described in
 sudo(@mansectsu@).
 .PP
 The
 \fIsudoers\fR
 plugin uses the same debug flag format as the
 \fBsudo\fR
 front-end:
 \fIsubsystem\fR@\fIpriority\fR.
 .PP
 The priorities used by
 \fIsudoers\fR,
 in order of decreasing severity,
 are:
 \fIcrit\fR,
 \fIerr\fR,
 \fIwarn\fR,
 \fInotice\fR,
 \fIdiag\fR,
 \fIinfo\fR,
 \fItrace\fR
 and
 \fIdebug\fR.
 Each priority, when specified, also includes all priorities higher than it.
 For example, a priority of
 \fInotice\fR
 would include debug messages logged at
 \fInotice\fR
 and higher.
 .PP
 The following subsystems are used by
 \fIsudoers\fR:
 .TP 10n
 \fIalias\fR
 \fRUser_Alias\fR,
 \fRRunas_Alias\fR,
 \fRHost_Alias\fR
 and
 \fRCmnd_Alias\fR
 processing
 .TP 10n
 \fIall\fR
 matches every subsystem
 .TP 10n
 \fIaudit\fR
 BSM and Linux audit code
 .TP 10n
 \fIauth\fR
 user authentication
 .TP 10n
 \fIdefaults\fR
 \fIsudoers\fR
 \fIDefaults\fR
 settings
 .TP 10n
 \fIenv\fR
 environment handling
 .TP 10n
 \fIldap\fR
 LDAP-based sudoers
 .TP 10n
 \fIlogging\fR
 logging support
 .TP 10n
 \fImatch\fR
 matching of users, groups, hosts and netgroups in
 \fIsudoers\fR
 .TP 10n
 \fInetif\fR
 network interface handling
 .TP 10n
 \fInss\fR
 network service switch handling in
 \fIsudoers\fR
 .TP 10n
 \fIparser\fR
 \fIsudoers\fR
 file parsing
 .TP 10n
 \fIperms\fR
 permission setting
 .TP 10n
 \fIplugin\fR
 The equivalent of
 \fImain\fR
 for the plugin.
 .TP 10n
 \fIpty\fR
 pseudo-tty related code
 .TP 10n
 \fIrbtree\fR
 redblack tree internals
 .TP 10n
 \fIutil\fR
 utility functions
 .SH "FILES"
 .TP 26n
 \fI@sysconfdir@/sudo.conf\fR
@@ -4309,6 +4203,117 @@ is able to determine when a tty-based time stamp file is stale and will
 ignore it.
 Administrators should not rely on this feature as it is not universally
 available.
 .SH "DEBUGGING"
 Versions 1.8.4 and higher of the
 \fBsudoers\fR
 plugin support a flexible debugging framework that can help track
 down what the plugin is doing internally if there is a problem.
 This can be configured in the
 sudo.conf(@mansectform@)
 file.
 .PP
 The
 \fBsudoers\fR
 plugin uses the same debug flag format as the
 \fBsudo\fR
 front-end:
 \fIsubsystem\fR@\fIpriority\fR.
 .PP
 The priorities used by
 \fBsudoers\fR,
 in order of decreasing severity,
 are:
 \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
 and
 \fIdebug\fR.
 Each priority, when specified, also includes all priorities higher
 than it.
 For example, a priority of
 \fInotice\fR
 would include debug messages logged at
 \fInotice\fR
 and higher.
 .PP
 The following subsystems are used by the
 \fBsudoers\fR
 plugin:
 .TP 10n
 \fIalias\fR
 \fRUser_Alias\fR,
 \fRRunas_Alias\fR,
 \fRHost_Alias\fR
 and
 \fRCmnd_Alias\fR
 processing
 .TP 10n
 \fIall\fR
 matches every subsystem
 .TP 10n
 \fIaudit\fR
 BSM and Linux audit code
 .TP 10n
 \fIauth\fR
 user authentication
 .TP 10n
 \fIdefaults\fR
 \fIsudoers\fR
 \fIDefaults\fR
 settings
 .TP 10n
 \fIenv\fR
 environment handling
 .TP 10n
 \fIldap\fR
 LDAP-based sudoers
 .TP 10n
 \fIlogging\fR
 logging support
 .TP 10n
 \fImatch\fR
 matching of users, groups, hosts and netgroups in
 \fIsudoers\fR
 .TP 10n
 \fInetif\fR
 network interface handling
 .TP 10n
 \fInss\fR
 network service switch handling in
 \fIsudoers\fR
 .TP 10n
 \fIparser\fR
 \fIsudoers\fR
 file parsing
 .TP 10n
 \fIperms\fR
 permission setting
 .TP 10n
 \fIplugin\fR
 The equivalent of
 \fImain\fR
 for the plugin.
 .TP 10n
 \fIpty\fR
 pseudo-tty related code
 .TP 10n
 \fIrbtree\fR
 redblack tree internals
 .TP 10n
 \fIutil\fR
 utility functions
 .PD 0
 .PP
 .PD
 For example:
 .nf
 .sp
 .RS 0n
 Debug sudo /var/log/sudo_debug match@info,nss@info
 .RE
 .fi
 .PP
 For more information, see the
 sudo.conf(@mansectform@)
 manual.
 .SH "SEE ALSO"
 ssh(1),
 su(1),
@@ -4316,6 +4321,7 @@ fnmatch(3),
 glob(3),
 mktemp(3),
 strftime(3),
 sudo.conf(@mansectform@),
 sudoers.ldap(@mansectform@),
 sudo_plugin(@mansectsu@),
 sudo(@mansectsu@),
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -1,6 +1,6 @@
 .\"
 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"	Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -19,16 +19,16 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd January 27, 2013
+.Dd February 5, 2013
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
 .Nm sudoers
-.Nd default sudo security policy module
+.Nd default sudo security policy plugin
 .Sh DESCRIPTION
 The
 .Em sudoers
-policy module determines a user's
+policy plugin determines a user's
 .Nm sudo
 privileges.
 It is the default
@@ -46,6 +46,73 @@ For information on storing
 policy information
 in LDAP, please see
 .Xr sudoers.ldap @mansectform@ .
 .Ss Configuring sudo.conf for sudoers
 .Nm sudo
 consults the
 .Xr sudo.conf @mansectform@
 file to determine which policy and and I/O logging plugins to load.
 If no
 .Xr sudo.conf @mansectform@
 file is present, or if it contains no
 .Li Plugin
 lines,
 .Nm sudoers
 will be used for policy decisions and I/O logging.
 To explicitly configure
 .Xr sudo.conf @mansectform@
 to use the
 .Nm sudoers
 plugin, the following configuration can be used.
 .Bd -literal -offset indent
 Plugin policy_plugin sudoers.so
 Plugin io_plugin sudoers.so
 .Ed
 .Pp
 Starting with
 .Nm sudo
 1.8.5, it is possible to specify optional arguments to the
 .Nm sudoers
 plugin in the
 .Xr sudo.conf @mansectform@
 file.
 These arguments, if present, should be listed after the path to the plugin
 (i.e.\& after
 .Pa sudoers.so ) .
 Multiple arguments may be specified, separated by white space.
 For example:
 .Bd -literal -offset indent
 Plugin sudoers_policy sudoers.so sudoers_mode=0400
 .Ed
 .Pp
 The following plugin arguments are supported:
 .Bl -tag -width 8n
 .It sudoers_file=pathname
 The
 .Em sudoers_file
 arguments can be used to override the default path
 to the
 .Em sudoers
 file.
 .It sudoers_uid=uid
 The
 .Em sudoers_uid
 arguments can be used to override the default owner of the sudoers file.
 It should be specified as a numeric user ID.
 .It sudoers_gid=gid
 The
 .Em sudoers_gid
 arguments can be used to override the default group of the sudoers file.
 It must be specified as a numeric group ID (not a group name).
 .It sudoers_mode=mode
 The
 .Em sudoers_mode
 arguments can be used to override the default file mode for the sudoers file.
 It should be specified as an octal value.
 .El
 .Pp
 For more information on configuring
 .Xr sudo.conf @mansectform@ ,
 please refer to its manual.
 .Ss Authentication and logging
 The
 .Em sudoers
@@ -2481,9 +2548,11 @@ will expand to the host name of the machine.
 Default is
 .Dq Li @mailsub@ .
 .It noexec_file
-This option is no longer supported.
+As of
 .Nm sudo
 version 1.8.1 this option is no longer supported.
 The path to the noexec file should now be set in the
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
 file.
 .It passprompt
 The default prompt to use when asking for a password; can be overridden via the
@@ -3071,18 +3140,19 @@ Normally,
 tries to open
 .Em sudoers
 using group permissions to avoid this problem.
-Consider changing the ownership of
+Consider either changing the ownership of
 .Pa @sysconfdir@/sudoers
-by adding an option like
+or adding an argument like
 .Dq sudoers_uid=N
 (where
 .Sq N
 is the user ID that owns the
 .Em sudoers
-file) to the
+file) to the end of the
 .Nm sudoers
-plugin line in the
+.Li Plugin
-.Pa @sysconfdir@/sudo.conf
+line in the
 .Xr sudo.conf @mansectform@
 file.
 .It unable to stat @sysconfdir@/sudoers
 The
@@ -3106,8 +3176,9 @@ is the user ID that owns the
 .Em sudoers
 file) to the
 .Nm sudoers
-plugin line in the
+.Li Plugin
-.Pa @sysconfdir@/sudo.conf
+line in the
 .Xr sudo.conf @mansectform@
 file.
 .It @sysconfdir@/sudoers is world writable
 The permissions on the
@@ -3121,8 +3192,9 @@ The default mode may be changed via the
 .Dq sudoers_mode
 option to the
 .Nm sudoers
-plugin line in the
+.Li Plugin
-.Pa @sysconfdir@/sudo.conf
+line in the
 .Xr sudo.conf @mansectform@
 file.
 .It @sysconfdir@/sudoers is owned by gid N, should be 1
 The
@@ -3138,8 +3210,9 @@ is the group ID that owns the
 .Em sudoers
 file) to the
 .Nm sudoers
-plugin line in the
+.Li Plugin
-.Pa @sysconfdir@/sudo.conf
+line in the
 .Xr sudo.conf @mansectform@
 file.
 .It unable to open @timedir@/username/ttyname
 .Em sudoers
@@ -3216,170 +3289,6 @@ option is set to 0 (or negated with a
 .Ql \&! ) ,
 word wrap will be disabled.
 .El
 .Sh SUDO.CONF
 The
 .Pa @sysconfdir@/sudo.conf
 file determines which plugins the
 .Nm sudo
 front end will load.
 If no
 .Pa @sysconfdir@/sudo.conf
 file
 is present, or it contains no
 .Li Plugin
 lines,
 .Nm sudo
 will use the
 .Em sudoers
 security policy and I/O logging, which corresponds to the following
 .Pa @sysconfdir@/sudo.conf
 file.
 .Bd -literal
 #
 # Default @sysconfdir@/sudo.conf file
 #
 # Format:
 #   Plugin plugin_name plugin_path plugin_options ...
 #   Path askpass /path/to/askpass
 #   Path noexec /path/to/sudo_noexec.so
 #   Debug sudo /var/log/sudo_debug all@warn
 #   Set disable_coredump true
 #
 # The plugin_path is relative to @PLUGINDIR@ unless
 #   fully qualified.
 # The plugin_name corresponds to a global symbol in the plugin
 #   that contains the plugin interface structure.
 # The plugin_options are optional.
 #
 Plugin policy_plugin sudoers.so
 Plugin io_plugin sudoers.so
 .Ed
 .Ss Plugin options
 Starting with
 .Nm sudo
 1.8.5, it is possible to pass options to the
 .Em sudoers
 plugin.
 Options may be listed after the path to the plugin (i.e.\& after
 .Pa sudoers.so ) ;
 multiple options should be space-separated.
 For example:
 .Bd -literal
 Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
 .Ed
 .Pp
 The following plugin options are supported:
 .Bl -tag -width 8n
 .It sudoers_file=pathname
 The
 .Em sudoers_file
 option can be used to override the default path
 to the
 .Em sudoers
 file.
 .It sudoers_uid=uid
 The
 .Em sudoers_uid
 option can be used to override the default owner of the sudoers file.
 It should be specified as a numeric user ID.
 .It sudoers_gid=gid
 The
 .Em sudoers_gid
 option can be used to override the default group of the sudoers file.
 It should be specified as a numeric group ID.
 .It sudoers_mode=mode
 The
 .Em sudoers_mode
 option can be used to override the default file mode for the sudoers file.
 It should be specified as an octal value.
 .El
 .Ss Debug flags
 Versions 1.8.4 and higher of the
 .Em sudoers
 plugin support a debugging framework that can help track down what the
 plugin is doing internally if there is a problem.
 This can be configured in the
 .Pa @sysconfdir@/sudo.conf
 file as described in
 .Xr sudo @mansectsu@ .
 .Pp
 The
 .Em sudoers
 plugin uses the same debug flag format as the
 .Nm sudo
 front-end:
 .Em subsystem Ns No @ Ns Em priority .
 .Pp
 The priorities used by
 .Em sudoers ,
 in order of decreasing severity,
 are:
 .Em crit ,
 .Em err ,
 .Em warn ,
 .Em notice ,
 .Em diag ,
 .Em info ,
 .Em trace
 and
 .Em debug .
 Each priority, when specified, also includes all priorities higher than it.
 For example, a priority of
 .Em notice
 would include debug messages logged at
 .Em notice
 and higher.
 .Pp
 The following subsystems are used by
 .Em sudoers :
 .Bl -tag -width 8n
 .It Em alias
 .Li User_Alias ,
 .Li Runas_Alias ,
 .Li Host_Alias
 and
 .Li Cmnd_Alias
 processing
 .It Em all
 matches every subsystem
 .It Em audit
 BSM and Linux audit code
 .It Em auth
 user authentication
 .It Em defaults
 .Em sudoers
 .Em Defaults
 settings
 .It Em env
 environment handling
 .It Em ldap
 LDAP-based sudoers
 .It Em logging
 logging support
 .It Em match
 matching of users, groups, hosts and netgroups in
 .Em sudoers
 .It Em netif
 network interface handling
 .It Em nss
 network service switch handling in
 .Em sudoers
 .It Em parser
 .Em sudoers
 file parsing
 .It Em perms
 permission setting
 .It Em plugin
 The equivalent of
 .Em main
 for the plugin.
 .It Em pty
 pseudo-tty related code
 .It Em rbtree
 redblack tree internals
 .It Em util
 utility functions
 .El
 .Sh FILES
 .Bl -tag -width 24n
 .It Pa @sysconfdir@/sudo.conf
@@ -3962,6 +3871,96 @@ is able to determine when a tty-based time stamp file is stale and will
 ignore it.
 Administrators should not rely on this feature as it is not universally
 available.
 .Sh DEBUGGING
 Versions 1.8.4 and higher of the
 .Nm sudoers
 plugin support a flexible debugging framework that can help track
 down what the plugin is doing internally if there is a problem.
 This can be configured in the
 .Xr sudo.conf @mansectform@
 file.
 .Pp
 The
 .Nm sudoers
 plugin uses the same debug flag format as the
 .Nm sudo
 front-end:
 .Em subsystem Ns No @ Ns Em priority .
 .Pp
 The priorities used by
 .Nm sudoers ,
 in order of decreasing severity,
 are:
 .Em crit , err , warn , notice , diag , info , trace
 and
 .Em debug .
 Each priority, when specified, also includes all priorities higher
 than it.
 For example, a priority of
 .Em notice
 would include debug messages logged at
 .Em notice
 and higher.
 .Pp
 The following subsystems are used by the
 .Nm sudoers
 plugin:
 .Bl -tag -width 8n
 .It Em alias
 .Li User_Alias ,
 .Li Runas_Alias ,
 .Li Host_Alias
 and
 .Li Cmnd_Alias
 processing
 .It Em all
 matches every subsystem
 .It Em audit
 BSM and Linux audit code
 .It Em auth
 user authentication
 .It Em defaults
 .Em sudoers
 .Em Defaults
 settings
 .It Em env
 environment handling
 .It Em ldap
 LDAP-based sudoers
 .It Em logging
 logging support
 .It Em match
 matching of users, groups, hosts and netgroups in
 .Em sudoers
 .It Em netif
 network interface handling
 .It Em nss
 network service switch handling in
 .Em sudoers
 .It Em parser
 .Em sudoers
 file parsing
 .It Em perms
 permission setting
 .It Em plugin
 The equivalent of
 .Em main
 for the plugin.
 .It Em pty
 pseudo-tty related code
 .It Em rbtree
 redblack tree internals
 .It Em util
 utility functions
 .El
 For example:
 .Bd -literal
 Debug sudo /var/log/sudo_debug match@info,nss@info
 .Ed
 .Pp
 For more information, see the
 .Xr sudo.conf @mansectform@
 manual.
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr su 1 ,
@@ -3969,6 +3968,7 @@ available.
 .Xr glob 3 ,
 .Xr mktemp 3 ,
 .Xr strftime 3 ,
 .Xr sudo.conf @mansectform@ ,
 .Xr sudoers.ldap @mansectform@ ,
 .Xr sudo_plugin @mansectsu@ ,
 .Xr sudo @mansectsu@ ,