Enumerate the debug subsystems used by sudo and sudoers.

doc/sudo.pod

@@ -483,7 +483,7 @@ Defaults to F<@noexec_file@>.
 
 B<sudo> versions 1.8.4 and higher support a flexible debugging
 framework that can help track down what B<sudo> is doing internally
-when there is a problem.
+if there is a problem.
 
 A C<Debug> line consists of the C<Debug> keyword, followed by the
 name of the program to debug (B<sudo>, B<visudo>, B<sudoreplay>),
@@ -505,15 +505,69 @@ and the plugins.  A future release may add support for per-plugin
 C<Debug> lines and/or support for multiple debugging files for a
 single program.
 
-For reference, the priorities supported by the B<sudo> front end and
+The priorities used by the B<sudo> front end, in order of decreasing
-I<sudoers> are: I<crit>, I<err>, I<warn>, I<notice>, I<diag>,
+severity, are: I<crit>, I<err>, I<warn>, I<notice>, I<diag>, I<info>,
-I<info>, I<trace> and I<debug>.
+I<trace> and I<debug>.  Each priority, when specified, also includes
+all priorities higher than it.  For example, a priority of I<notice>
+would include debug messages logged at I<notice> and higher.
 
-The following subsystems are defined: I<main>, I<memory>, I<args>,
+The following subsystems are used by B<sudo>:
-I<exec>, I<pty>, I<utmp>, I<conv>, I<pcomm>, I<util>, I<list>,
+
-I<netif>, I<audit>, I<edit>, I<selinux>, I<ldap>, I<match>, I<parser>,
+=over 10
-I<alias>, I<defaults>, I<auth>, I<env>, I<logging>, I<nss>, I<rbtree>,
+
-I<perms>, I<plugin>.  The subsystem I<all> includes every subsystem.
+=item I<all>
+
+matches every subsystem
+
+=item I<args>
+
+command line argument processing
+
+=item I<conv>
+
+user conversation
+
+=item I<edit>
+
+sudoedit
+
+=item I<exec>
+
+command execution
+
+=item I<main>
+
+B<sudo> main function
+
+=item I<netif>
+
+network interface handling
+
+=item I<pcomm>
+
+communication with the plugin
+
+=item I<plugin>
+
+plugin configuration
+
+=item I<pty>
+
+pseudo-tty related code
+
+=item I<selinux>
+
+SELinux-specific handling
+
+=item I<util>
+
+utility functions
+
+=item I<utmp>
+
+utmp handling
+
+=back
 
 =head1 RETURN VALUES
 

doc/sudoers.pod

@@ -1903,6 +1903,96 @@ to unintended privilege escalation.  In the specific case of an
 editor, a safer approach is to give the user permission to run
 B<sudoedit>.
 
+=head1 DEBUG FLAGS
+
+Versions 1.8.4 and higher of the I<sudoers> plugin supports a
+debugging framework that can help track down what the plugin is
+doing internally if there is a problem.  This can be configured in
+the F<@sysconfdir@/sudo.conf> file as described in L<sudo(8)>.
+
+The I<sudoers> plugin uses the same debug flag format as B<sudo>
+itself: I<subsystem>@I<priority>.
+
+The priorities used by I<sudoers>, in order of decreasing severity,
+are: I<crit>, I<err>, I<warn>, I<notice>, I<diag>, I<info>, I<trace>
+and I<debug>.  Each priority, when specified, also includes all
+priorities higher than it.  For example, a priority of I<notice>
+would include debug messages logged at I<notice> and higher.
+
+The following subsystems are used by I<sudoers>:
+
+=over 10
+
+=item I<alias>
+
+C<User_Alias>, C<Runas_Alias>, C<Host_Alias> and C<Cmnd_Alias> processing
+
+=item I<all>
+
+matches every subsystem
+
+=item I<audit>
+
+BSM and Linux audit code
+
+=item I<auth>
+
+user authentication
+
+=item I<defaults>
+
+I<sudoers> I<Defaults> settings
+
+=item I<env>
+
+environment handling
+
+=item I<ldap>
+
+LDAP-based sudoers
+
+=item I<logging>
+
+logging support
+
+=item I<match>
+
+matching of users, groups, hosts and netgroups in I<sudoers>
+
+=item I<netif>
+
+network interface handling
+
+=item I<nss>
+
+network service switch handling in I<sudoers>
+
+=item I<parser>
+
+I<sudoers> file parsing
+
+=item I<perms>
+
+permission setting
+
+=item I<plugin>
+
+The equivalent of I<main> for the plugin.
+
+=item I<pty>
+
+pseudo-tty related code
+
+=item I<rbtree>
+
+redblack tree internals
+
+=item I<util>
+
+utility functions 
+
+=back
+
 =head1 SECURITY NOTES
 
 I<sudoers> will check the ownership of its time stamp directory