From 2e84f169cc43ea070ac3c44d06a2674841e521b8 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Wed, 13 Mar 2013 11:32:31 -0400
Subject: [PATCH] Document direct execution of the command if the policy plugin
 has no close function.

---
 doc/sudo.cat     | 17 ++++++++++-------
 doc/sudo.man.in  | 11 +++++++++--
 doc/sudo.mdoc.in | 11 +++++++++--
 3 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/doc/sudo.cat b/doc/sudo.cat
index 402cb8f02..05ceae378 100644
--- a/doc/sudo.cat
+++ b/doc/sudo.cat
@@ -333,13 +333,16 @@ CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
      environment as described above, and calls the execve system call in the
      child process.  The main ssuuddoo process waits until the command has
      completed, then passes the command's exit status to the security policy's
-     close method and exits.  If an I/O logging plugin is configured, a new
-     pseudo-terminal (``pty'') is created and a second ssuuddoo process is used to
-     relay job control signals between the user's existing pty and the new pty
-     the command is being run in.  This extra process makes it possible to,
-     for example, suspend and resume the command.  Without it, the command
-     would be in what POSIX terms an ``orphaned process group'' and it would
-     not receive any job control signals.
+     close function and exits.  If an I/O logging plugin is configured or if
+     the security policy explicitly requests it, a new  pseudo-terminal
+     (``pty'') is created and a second ssuuddoo process is used to relay job
+     control signals between the user's existing pty and the new pty the
+     command is being run in.  This extra process makes it possible to, for
+     example, suspend and resume the command.  Without it, the command would
+     be in what POSIX terms an ``orphaned process group'' and it would not
+     receive any job control signals.  As a special case, if the policy plugin
+     does not define a close function and no pty is required, ssuuddoo will
+     execute the command directly instead of calling fork(2) first.
 
    SSiiggnnaall hhaannddlliinngg
      Because the command is run as a child of the ssuuddoo process, ssuuddoo will
diff --git a/doc/sudo.man.in b/doc/sudo.man.in
index 440f30c0e..ceb2aa40c 100644
--- a/doc/sudo.man.in
+++ b/doc/sudo.man.in
@@ -747,8 +747,9 @@ system call in the child process.
 The main
 \fBsudo\fR
 process waits until the command has completed, then passes the
-command's exit status to the security policy's close method and exits.
-If an I/O logging plugin is configured, a new  pseudo-terminal
+command's exit status to the security policy's close function and exits.
+If an I/O logging plugin is configured or if the security policy
+explicitly requests it, a new  pseudo-terminal
 (``pty'')
 is created and a second
 \fBsudo\fR
@@ -759,6 +760,12 @@ and resume the command.
 Without it, the command would be in what POSIX terms an
 ``orphaned process group''
 and it would not receive any job control signals.
+As a special case, if the policy plugin does not define a close
+function and no pty is required,
+\fBsudo\fR
+will execute the command directly instead of calling
+fork(2)
+first.
 .SS "Signal handling"
 Because the command is run as a child of the
 \fBsudo\fR
diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in
index d3fe3c2eb..74c657a5b 100644
--- a/doc/sudo.mdoc.in
+++ b/doc/sudo.mdoc.in
@@ -731,8 +731,9 @@ system call in the child process.
 The main
 .Nm sudo
 process waits until the command has completed, then passes the
-command's exit status to the security policy's close method and exits.
-If an I/O logging plugin is configured, a new  pseudo-terminal
+command's exit status to the security policy's close function and exits.
+If an I/O logging plugin is configured or if the security policy
+explicitly requests it, a new  pseudo-terminal
 .Pq Dq pty
 is created and a second
 .Nm sudo
@@ -743,6 +744,12 @@ and resume the command.
 Without it, the command would be in what POSIX terms an
 .Dq orphaned process group
 and it would not receive any job control signals.
+As a special case, if the policy plugin does not define a close
+function and no pty is required,
+.Nm sudo
+will execute the command directly instead of calling
+.Xr fork 2
+first.
 .Ss Signal handling
 Because the command is run as a child of the
 .Nm sudo