From 61dfad9c52455b1e565aa38a1a891ad21fd9f9a5 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Thu, 2 Aug 2012 21:11:25 -0400
Subject: [PATCH] Expand section on Solaris privileges.

---
 doc/sudoers.cat     | 20 ++++++++++++++++++++
 doc/sudoers.man.in  | 35 +++++++++++++++++++++++++++++++++++
 doc/sudoers.mdoc.in | 30 ++++++++++++++++++++++++++++++
 3 files changed, 85 insertions(+)

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index c955f63ae..b1bf7b0b6 100644
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -441,6 +441,26 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
      privileges or limit privileges are specified with the command it will
      override any default values specified in _s_u_d_o_e_r_s.
 
+     A privilege set is a comma-separated list of privilege names.  The
+     ppriv(1) command can be used to list all privileges known to the system.
+     For example:
+
+     $ ppriv -l
+
+     In addition, there are several ``special'' privilege strings:
+
+     none      the empty set
+
+     all       the set of all privileges
+
+     zone      the set of all privileges available in the current zone
+
+     basic     the default set of privileges normal users are granted at login
+               time
+
+     Privileges can be excluded from a set by prefixing the privilege name
+     with either an `!' or `-' character.
+
    TTaagg__SSppeecc
      A command may have zero or more tags associated with it.  There are ten
      possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 8f0b5dd29..a71074677 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -964,6 +964,41 @@ privilege set associated with a command.
 If privileges or limit privileges are specified with the command
 it will override any default values specified in
 \fIsudoers\fR.
+.PP
+A privilege set is a comma-separated list of privilege names.
+The
+ppriv(1)
+command can be used to list all privileges known to the system.
+For example:
+.nf
+.sp
+.RS 0n
+$ ppriv -l
+.RE
+.fi
+.PP
+In addition, there are several
+``special''
+privilege strings:
+.TP 10n
+none
+the empty set
+.TP 10n
+all
+the set of all privileges
+.TP 10n
+zone
+the set of all privileges available in the current zone
+.TP 10n
+basic
+the default set of privileges normal users are granted at login time
+.PP
+Privileges can be excluded from a set by prefixing the privilege
+name with either an
+`\&!'
+or
+`\-'
+character.
 .SS "Tag_Spec"
 A command may have zero or more tags associated with it.
 There are
diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 7c039c201..ddef0f0f3 100644
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -911,6 +911,36 @@ privilege set associated with a command.
 If privileges or limit privileges are specified with the command
 it will override any default values specified in
 .Em sudoers .
+.Pp
+A privilege set is a comma-separated list of privilege names.
+The
+.Xr ppriv 1
+command can be used to list all privileges known to the system.
+For example:
+.Bd -literal
+$ ppriv -l
+.Ed
+.Pp
+In addition, there are several
+.Dq special
+privilege strings:
+.Bl -tag -width 8n
+.It none
+the empty set
+.It all
+the set of all privileges
+.It zone
+the set of all privileges available in the current zone
+.It basic
+the default set of privileges normal users are granted at login time
+.El
+.Pp
+Privileges can be excluded from a set by prefixing the privilege
+name with either an
+.Ql \&!
+or
+.Ql \-
+character.
 .Ss Tag_Spec
 A command may have zero or more tags associated with it.
 There are