Remove most uses of the deprecated Li macro which has no effect.

Also fix some other incorrect markup.
2022-09-13 19:56:45 -06:00
parent a326411903
commit c341608072
26 changed files with 1398 additions and 1466 deletions
--- a/docs/cvtsudoers.man.in
+++ b/docs/cvtsudoers.man.in
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "CVTSUDOERS" "1" "September 2, 2022" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
+.TH "CVTSUDOERS" "1" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -67,9 +67,8 @@ The options are as follows:
 The base DN (distinguished name) that will be used when performing
 LDAP queries.
 Typically this is of the form
-\fRou=SUDOers,dc=my-domain,dc=com\fR
+\(lqou=SUDOers,dc=my-domain,dc=com\(rq
-for the domain
+for the domain my-domain.com.
 \fRmy-domain.com\fR.
 If this option is not specified, the value of the
 \fRSUDOERS_BASE\fR
 environment variable will be used instead.
@@ -82,10 +81,10 @@ Defaults to
 .TP 12n
 \fB\-d\fR \fIdeftypes\fR, \fB\--defaults\fR=\fIdeftypes\fR
 Only convert
-\fRDefaults\fR
+\fIDefaults\fR
 entries of the specified types.
 One or more
-\fRDefaults\fR
+\fIDefaults\fR
 types may be specified, separated by a comma
 (\(oq\&,\(cq).
 The supported types are:
@@ -122,7 +121,7 @@ for more information.
 If the
 \fB\-d\fR
 option is not specified, all
-\fRDefaults\fR
+\fIDefaults\fR
 entries will be converted.
 .RE
 .TP 12n
@@ -265,10 +264,10 @@ For example,
 or
 \fBhost\fR = \fIwww\fR.
 An upper-case
-\fRCmnd_Alias\fR,
+\fICmnd_Alias\fR,
-\fRHost_alias\fR,
+\fIHost_alias\fR,
 or
-\fRUser_Alias\fR
+\fIUser_Alias\fR
 may be specified as the
 \(lqcmnd\(rq,
 \(lqhost\(rq,
@@ -441,7 +440,7 @@ Per-user rules are merged and duplicates are removed.
 If a host name is specified with the input file,
 \fBcvtsudoers\fR
 will change rules that specify a host name of
-\fRALL\fR
+\fBALL\fR
 to the host name associated with the policy file being merged.
 The merging of rules is currently fairly simplistic but will be
 improved in a later release.
@@ -676,7 +675,7 @@ and
 Host_Aliases
 A JSON object containing one or more
 \fIsudoers\fR
-\fRHost_Alias\fR
+\fIHost_Alias\fR
 entries where each named alias has as its value an array
 containing one or more objects.
 Each object contains a
@@ -711,7 +710,7 @@ For example:
 Cmnd_Aliases
 A JSON object containing one or more
 \fIsudoers\fR
-\fRCmnd_Alias\fR
+\fICmnd_Alias\fR
 entries where each named alias has as its value an array
 containing one or more objects.
 Each object contains a
@@ -1006,20 +1005,20 @@ defaults_type
 The type of
 \fIDefaults\fR
 setting; one of
-\fRdefaults\fR,
+\fIdefaults\fR,
-\fRdefaults_command\fR,
+\fIdefaults_command\fR,
-\fRdefaults_host\fR,
+\fIdefaults_host\fR,
-\fRdefaults_runas\fR,
+\fIdefaults_runas\fR,
 or
-\fRdefaults_user\fR.
+\fIdefaults_user\fR.
 .TP 10n
 binding
 For
-\fRdefaults_command\fR,
+\fIdefaults_command\fR,
-\fRdefaults_host\fR,
+\fIdefaults_host\fR,
-\fRdefaults_runas\fR,
+\fIdefaults_runas\fR,
 and
-\fRdefaults_user\fR
+\fIdefaults_user\fR
 this is the value that must match for the setting to be applied.
 .TP 10n
 name
@@ -1051,11 +1050,11 @@ or
 .TP 6n
 aliases
 This section includes any
-\fRCmnd_Alias\fR
+\fICmnd_Alias\fR
-\fRHost_Alias\fR,
+\fIHost_Alias\fR,
-\fRRunas_Alias\fR,
+\fIRunas_Alias\fR,
 or
-\fRUser_Alias\fR,
+\fIUser_Alias\fR,
 entries from
 \fIsudoers\fR.
 The
@@ -1073,11 +1072,11 @@ The fields are as follows:
 .TP 10n
 alias_type
 The type of alias; one of
-\fRCmnd_Alias\fR,
+\fICmnd_Alias\fR,
-\fRHost_Alias\fR,
+\fIHost_Alias\fR,
-\fRRunas_Alias\fR,
+\fIRunas_Alias\fR,
 or
-\fRUser_Alias\fR.
+\fIUser_Alias\fR.
 .TP 10n
 alias_name
 The name of the alias; a string starting with an upper-case letter that
@@ -1127,7 +1126,7 @@ or a netgroup (preceded by a
 \(oq+\(cq
 character)
 or a
-\fRUser_Alias\fR.
+\fIUser_Alias\fR.
 If set to the special value
 \fBALL\fR,
 it will match any user.
@@ -1138,14 +1137,14 @@ This may also be a netgroup (preceded by a
 \(oq+\(cq
 character)
 or a
-\fRHost_Alias\fR.
+\fIHost_Alias\fR.
 If set to the special value
 \fBALL\fR,
 it will match any host.
 .TP 10n
 runusers
 An optional comma-separated list of users (or
-\fRRunas_Alias\fRes)
+\fIRunas_Alias\fRes)
 the command may be run as.
 If it contains more than one member, the value is surrounded by
 double quotes.
@@ -1157,7 +1156,7 @@ If empty, the root user is assumed.
 rungroups
 .br
 An optional comma-separated list of groups (or
-\fRRunas_Alias\fRes)
+\fIRunas_Alias\fRes)
 the command may be run as.
 If it contains more than one member, the value is surrounded by
 double quotes.
--- a/docs/cvtsudoers.mdoc.in
+++ b/docs/cvtsudoers.mdoc.in
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd September 2, 2022
+.Dd September 13, 2022
 .Dt CVTSUDOERS 1
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -65,9 +65,8 @@ The options are as follows:
 The base DN (distinguished name) that will be used when performing
 LDAP queries.
 Typically this is of the form
-.Li ou=SUDOers,dc=my-domain,dc=com
+.Dq ou=SUDOers,dc=my-domain,dc=com
-for the domain
+for the domain my-domain.com.
 .Li my-domain.com .
 If this option is not specified, the value of the
 .Ev SUDOERS_BASE
 environment variable will be used instead.
@@ -78,10 +77,10 @@ Defaults to
 .Pa @sysconfdir@/cvtsudoers.conf .
 .It Fl d Ar deftypes , Fl -defaults Ns = Ns Ar deftypes
 Only convert
-.Li Defaults
+.Em Defaults
 entries of the specified types.
 One or more
-.Li Defaults
+.Em Defaults
 types may be specified, separated by a comma
 .Pq Ql \&, .
 The supported types are:
@@ -110,7 +109,7 @@ for more information.
 If the
 .Fl d
 option is not specified, all
-.Li Defaults
+.Em Defaults
 entries will be converted.
 .It Fl e , Fl -expand-aliases
 Expand aliases in
@@ -218,10 +217,10 @@ For example,
 or
 .Sy host No = Ar www .
 An upper-case
-.Li Cmnd_Alias ,
+.Em Cmnd_Alias ,
-.Li Host_alias ,
+.Em Host_alias ,
 or
-.Li User_Alias
+.Em User_Alias
 may be specified as the
 .Dq cmnd ,
 .Dq host ,
@@ -365,9 +364,9 @@ subsequent aliases of the same name are renamed with a numeric suffix
 separated with a underscore
 .Pq Ql _ .
 For example, if there are two different aliases named
-.Li SERVERS ,
+.Dv SERVERS ,
 the first will be left as-is and the second will be renamed
-.Li SERVERS_1 .
+.Dv SERVERS_1 .
 References to the renamed alias are also updated in the policy file.
 Duplicate aliases (those with identical contents) are pruned.
 .It
@@ -384,7 +383,7 @@ Per-user rules are merged and duplicates are removed.
 If a host name is specified with the input file,
 .Nm
 will change rules that specify a host name of
-.Li ALL
+.Sy ALL
 to the host name associated with the policy file being merged.
 The merging of rules is currently fairly simplistic but will be
 improved in a later release.
@@ -589,7 +588,7 @@ and
 .It Host_Aliases
 A JSON object containing one or more
 .Em sudoers
-.Li Host_Alias
+.Em Host_Alias
 entries where each named alias has as its value an array
 containing one or more objects.
 Each object contains a
@@ -620,7 +619,7 @@ For example:
 .It Cmnd_Aliases
 A JSON object containing one or more
 .Em sudoers
-.Li Cmnd_Alias
+.Em Cmnd_Alias
 entries where each named alias has as its value an array
 containing one or more objects.
 Each object contains a
@@ -893,19 +892,19 @@ The fields are as follows:
 The type of
 .Em Defaults
 setting; one of
-.Li defaults ,
+.Em defaults ,
-.Li defaults_command ,
+.Em defaults_command ,
-.Li defaults_host ,
+.Em defaults_host ,
-.Li defaults_runas ,
+.Em defaults_runas ,
 or
-.Li defaults_user .
+.Em defaults_user .
 .It binding
 For
-.Li defaults_command ,
+.Em defaults_command ,
-.Li defaults_host ,
+.Em defaults_host ,
-.Li defaults_runas ,
+.Em defaults_runas ,
 and
-.Li defaults_user
+.Em defaults_user
 this is the value that must match for the setting to be applied.
 .It name
 The name of the
@@ -930,11 +929,11 @@ or
 .El
 .It aliases
 This section includes any
-.Li Cmnd_Alias
+.Em Cmnd_Alias
-.Li Host_Alias ,
+.Em Host_Alias ,
-.Li Runas_Alias ,
+.Em Runas_Alias ,
 or
-.Li User_Alias ,
+.Em User_Alias ,
 entries from
 .Em sudoers .
 The
@@ -948,11 +947,11 @@ The fields are as follows:
 .Bl -tag -width 8n
 .It alias_type
 The type of alias; one of
-.Li Cmnd_Alias ,
+.Em Cmnd_Alias ,
-.Li Host_Alias ,
+.Em Host_Alias ,
-.Li Runas_Alias ,
+.Em Runas_Alias ,
 or
-.Li User_Alias .
+.Em User_Alias .
 .It alias_name
 The name of the alias; a string starting with an upper-case letter that
 consists of upper-case letters, digits, or underscores.
@@ -990,7 +989,7 @@ or a netgroup (preceded by a
 .Ql +
 character)
 or a
-.Li User_Alias .
+.Em User_Alias .
 If set to the special value
 .Sy ALL ,
 it will match any user.
@@ -1000,13 +999,13 @@ This may also be a netgroup (preceded by a
 .Ql +
 character)
 or a
-.Li Host_Alias .
+.Em Host_Alias .
 If set to the special value
 .Sy ALL ,
 it will match any host.
 .It runusers
 An optional comma-separated list of users (or
-.Li Runas_Alias Ns No es )
+.Em Runas_Alias Ns No es )
 the command may be run as.
 If it contains more than one member, the value is surrounded by
 double quotes.
@@ -1016,7 +1015,7 @@ it will match any user.
 If empty, the root user is assumed.
 .It rungroups
 An optional comma-separated list of groups (or
-.Li Runas_Alias Ns No es )
+.Em Runas_Alias Ns No es )
 the command may be run as.
 If it contains more than one member, the value is surrounded by
 double quotes.
--- a/docs/sudo.conf.man.in
+++ b/docs/sudo.conf.man.in
@@ -70,17 +70,17 @@ Leading white space is removed from the beginning of lines
 even when a continuation character is used.
 .PP
 Non-comment lines that don't begin with
-\fRPlugin\fR,
+\fIPlugin\fR,
-\fRPath\fR,
+\fIPath\fR,
-\fRDebug\fR,
+\fIDebug\fR,
 or
-\fRSet\fR
+\fISet\fR
 are silently ignored.
 .PP
 The
 \fBsudo.conf\fR
 file is always parsed in the
-\(lq\fRC\fR\(rq
+\(oqC\(cq
 locale.
 .SS "Plugin configuration"
 \fBsudo\fR
@@ -94,9 +94,9 @@ Plugins are dynamically loaded based on the contents of
 \fBsudo.conf\fR.
 .PP
 A
-\fRPlugin\fR
+\fIPlugin\fR
 line consists of the
-\fRPlugin\fR
+\fIPlugin\fR
 keyword, followed by the
 \fIsymbol_name\fR
 and the
@@ -105,14 +105,14 @@ to the dynamic shared object that contains the plugin.
 The
 \fIsymbol_name\fR
 is the name of the
-\fRapproval_plugin\fR,
+\fIstruct approval_plugin\fR,
-\fRaudit_plugin\fR,
+\fIstruct audit_plugin\fR,
-\fRio_plugin\fR,
+\fIstruct io_plugin\fR,
 or
-\fRpolicy_plugin\fR
+\fIstruct policy_plugin\fR
-struct contained in the plugin.
+defined by the plugin.
 If a plugin implements multiple plugin types, there must be a
-\fRPlugin\fR
+\fIPlugin\fR
 line for each unique symbol name.
 The
 \fIpath\fR
@@ -120,7 +120,7 @@ may be fully qualified or relative.
 If not fully qualified, it is relative to the directory
 specified by the
 \fIplugin_dir\fR
-\fRPath\fR
+\fIPath\fR
 setting, which defaults to
 \fI@plugindir@\fR.
 In other words:
@@ -182,7 +182,7 @@ This limitation does not apply to I/O plugins.
 If no
 \fBsudo.conf\fR
 file is present, or if it contains no
-\fRPlugin\fR
+\fIPlugin\fR
 lines, the
 \fBsudoers\fR
 plugin will be used as the default security policy, for I/O logging
@@ -221,9 +221,9 @@ sudo_plugin(@mansectform@)
 manual.
 .SS "Path settings"
 A
-\fRPath\fR
+\fIPath\fR
 line consists of the
-\fRPath\fR
+\fIPath\fR
 keyword, followed by the name of the path to set and its value.
 For example:
 .nf
@@ -238,7 +238,7 @@ Path askpass /usr/X11R6/bin/ssh-askpass
 If no path name is specified, features relying on the specified
 setting will be disabled.
 Disabling
-\fRPath\fR
+\fIPath\fR
 settings is only supported in
 \fBsudo\fR
 version 1.8.16 and higher.
@@ -277,7 +277,7 @@ If terminal devices may be located in a sub-directory of
 that path must be explicitly listed in
 \fIdevsearch\fR.
 The default value is
-\fR/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev\fR
+\fI/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev\fR
 .sp
 This option is ignored on systems that support either the
 \fBdevname\fR()
@@ -290,15 +290,15 @@ macOS and Solaris.
 intercept
 .br
 The fully-qualified path to a shared library containing a wrappers for the
-\fBexecl\fR(),
+execve(2),
-\fBexecle\fR(),
+execl(3),
-\fBexeclp\fR(),
+execle(3),
-\fBexecv\fR(),
+execlp(3),
-\fBexecve\fR(),
+execv(3),
-\fBexecvp\fR(),
+execvp(3),
-\fBexecvpe\fR(),
+execvpe(3),
 and
-\fBsystem\fR()
+system(3)
 library functions that intercepts attempts to run further commands and
 performs a policy check before allowing them to be executed.
 This is used to implement the
@@ -312,23 +312,23 @@ The default value is
 noexec
 The fully-qualified path to a shared library containing wrappers
 for the
-\fBexecl\fR(),
+execve(2),
-\fBexecle\fR(),
+execl(3),
-\fBexeclp\fR(),
+execle(3),
-\fBexect\fR(),
+execlp(3),
-\fBexecv\fR(),
+exect(3),
-\fBexecve\fR(),
+execv(3),
-\fBexecveat\fR(),
+execveat(3),
-\fBexecvP\fR(),
+execvP(3),
-\fBexecvp\fR(),
+execvp(3),
-\fBexecvpe\fR(),
+execvpe(3),
-\fBfexecve\fR(),
+fexecve(3),
-\fBpopen\fR(),
+popen(3),
-\fBposix_spawn\fR(),
+posix_spawn(3),
-\fBposix_spawnp\fR(),
+posix_spawnp(3),
-\fBsystem\fR(),
+system(3),
 and
-\fBwordexp\fR()
+wordexp(3)
 library functions that prevent the execution of further commands.
 This is used to implement the
 \fInoexec\fR
@@ -569,9 +569,9 @@ that can log what
 is doing internally if there is a problem.
 .PP
 A
-\fRDebug\fR
+\fIDebug\fR
 line consists of the
-\fRDebug\fR
+\fIDebug\fR
 keyword, followed by the name of the program, plugin, or shared object
 to debug, the debug file name, and a comma-separated list of debug flags.
 The debug flag syntax used by
@@ -613,25 +613,25 @@ intercept functionality on some systems.
 As of
 \fBsudo\fR
 1.8.12, multiple
-\fRDebug\fR
+\fIDebug\fR
 entries may be specified per program.
 Older versions of
 \fBsudo\fR
 only support a single
-\fRDebug\fR
+\fIDebug\fR
 entry per program.
 Plugin-specific
-\fRDebug\fR
+\fIDebug\fR
 entries are also supported starting with
 \fBsudo\fR
 1.8.12 and are matched by either the base name of the plugin that was loaded
 (for example
-\fRsudoers.so\fR)
+\fIsudoers.so\fR)
 or by the plugin's fully-qualified path name.
 Previously, the
 \fBsudoers\fR
 plugin shared the same
-\fRDebug\fR
+\fIDebug\fR
 entry as the
 \fBsudo\fR
 front-end and could not be configured separately.
--- a/docs/sudo.conf.mdoc.in
+++ b/docs/sudo.conf.mdoc.in
@@ -67,17 +67,17 @@ Leading white space is removed from the beginning of lines
 even when a continuation character is used.
 .Pp
 Non-comment lines that don't begin with
-.Li Plugin ,
+.Em Plugin ,
-.Li Path ,
+.Em Path ,
-.Li Debug ,
+.Em Debug ,
 or
-.Li Set
+.Em Set
 are silently ignored.
 .Pp
 The
 .Nm
 file is always parsed in the
-.Dq Li C
+.Ql C
 locale.
 .Ss Plugin configuration
 .Nm sudo
@@ -91,9 +91,9 @@ Plugins are dynamically loaded based on the contents of
 .Nm .
 .Pp
 A
-.Li Plugin
+.Em Plugin
 line consists of the
-.Li Plugin
+.Em Plugin
 keyword, followed by the
 .Em symbol_name
 and the
@@ -102,14 +102,14 @@ to the dynamic shared object that contains the plugin.
 The
 .Em symbol_name
 is the name of the
-.Li approval_plugin ,
+.Vt struct approval_plugin ,
-.Li audit_plugin ,
+.Vt struct audit_plugin ,
-.Li io_plugin ,
+.Vt struct io_plugin ,
 or
-.Li policy_plugin
+.Vt struct policy_plugin
-struct contained in the plugin.
+defined by the plugin.
 If a plugin implements multiple plugin types, there must be a
-.Li Plugin
+.Em Plugin
 line for each unique symbol name.
 The
 .Em path
@@ -117,7 +117,7 @@ may be fully qualified or relative.
 If not fully qualified, it is relative to the directory
 specified by the
 .Em plugin_dir
-.Li Path
+.Em Path
 setting, which defaults to
 .Pa @plugindir@ .
 In other words:
@@ -167,7 +167,7 @@ This limitation does not apply to I/O plugins.
 If no
 .Nm
 file is present, or if it contains no
-.Li Plugin
+.Em Plugin
 lines, the
 .Nm sudoers
 plugin will be used as the default security policy, for I/O logging
@@ -203,9 +203,9 @@ plugin architecture, see the
 manual.
 .Ss Path settings
 A
-.Li Path
+.Em Path
 line consists of the
-.Li Path
+.Em Path
 keyword, followed by the name of the path to set and its value.
 For example:
 .Bd -literal -offset 4n
@@ -217,7 +217,7 @@ Path askpass /usr/X11R6/bin/ssh-askpass
 If no path name is specified, features relying on the specified
 setting will be disabled.
 Disabling
-.Li Path
+.Em Path
 settings is only supported in
 .Nm sudo
 version 1.8.16 and higher.
@@ -254,7 +254,7 @@ If terminal devices may be located in a sub-directory of
 that path must be explicitly listed in
 .Em devsearch .
 The default value is
-.Li /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
+.Pa /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
 .Pp
 This option is ignored on systems that support either the
 .Fn devname
@@ -265,15 +265,15 @@ functions, for example
 macOS and Solaris.
 .It intercept
 The fully-qualified path to a shared library containing a wrappers for the
-.Fn execl ,
+.Xr execve 2 ,
-.Fn execle ,
+.Xr execl 3 ,
-.Fn execlp ,
+.Xr execle 3 ,
-.Fn execv ,
+.Xr execlp 3 ,
-.Fn execve ,
+.Xr execv 3 ,
-.Fn execvp ,
+.Xr execvp 3 ,
-.Fn execvpe ,
+.Xr execvpe 3 ,
 and
-.Fn system
+.Xr system 3
 library functions that intercepts attempts to run further commands and
 performs a policy check before allowing them to be executed.
 This is used to implement the
@@ -286,23 +286,23 @@ The default value is
 .It noexec
 The fully-qualified path to a shared library containing wrappers
 for the
-.Fn execl ,
+.Xr execve 2 ,
-.Fn execle ,
+.Xr execl 3 ,
-.Fn execlp ,
+.Xr execle 3 ,
-.Fn exect ,
+.Xr execlp 3 ,
-.Fn execv ,
+.Xr exect 3 ,
-.Fn execve ,
+.Xr execv 3 ,
-.Fn execveat ,
+.Xr execveat 3 ,
-.Fn execvP ,
+.Xr execvP 3 ,
-.Fn execvp ,
+.Xr execvp 3 ,
-.Fn execvpe ,
+.Xr execvpe 3 ,
-.Fn fexecve ,
+.Xr fexecve 3 ,
-.Fn popen ,
+.Xr popen 3 ,
-.Fn posix_spawn ,
+.Xr posix_spawn 3 ,
-.Fn posix_spawnp ,
+.Xr posix_spawnp 3 ,
-.Fn system ,
+.Xr system 3 ,
 and
-.Fn wordexp
+.Xr wordexp 3
 library functions that prevent the execution of further commands.
 This is used to implement the
 .Em noexec
@@ -519,9 +519,9 @@ that can log what
 is doing internally if there is a problem.
 .Pp
 A
-.Li Debug
+.Em Debug
 line consists of the
-.Li Debug
+.Em Debug
 keyword, followed by the name of the program, plugin, or shared object
 to debug, the debug file name, and a comma-separated list of debug flags.
 The debug flag syntax used by
@@ -557,25 +557,25 @@ intercept functionality on some systems.
 As of
 .Nm sudo
 1.8.12, multiple
-.Li Debug
+.Em Debug
 entries may be specified per program.
 Older versions of
 .Nm sudo
 only support a single
-.Li Debug
+.Em Debug
 entry per program.
 Plugin-specific
-.Li Debug
+.Em Debug
 entries are also supported starting with
 .Nm sudo
 1.8.12 and are matched by either the base name of the plugin that was loaded
 (for example
-.Li sudoers.so )
+.Pa sudoers.so )
 or by the plugin's fully-qualified path name.
 Previously, the
 .Nm sudoers
 plugin shared the same
-.Li Debug
+.Em Debug
 entry as the
 .Nm sudo
 front-end and could not be configured separately.
--- a/docs/sudo.man.in
+++ b/docs/sudo.man.in
@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDO" "@mansectsu@" "August 2, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO" "@mansectsu@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -135,9 +135,7 @@ time limit.
 This limit is policy-specific; the default password prompt timeout
 for the
 \fIsudoers\fR
-security policy is
+security policy is @password_timeout@ minutes.
 \fR@password_timeout@\fR
 minutes.
 .PP
 Security policies may support credential caching to allow the user
 to run
@@ -145,9 +143,7 @@ to run
 again for a period of time without requiring authentication.
 By default, the
 \fIsudoers\fR
-policy caches credentials on a per-terminal basis for
+policy caches credentials on a per-terminal basis for @timeout@ minutes.
 \fR@timeout@\fR
 minutes.
 See the
 \fItimestamp_type\fR
 and
@@ -399,7 +395,7 @@ may be either a group name or a numeric group-ID
 prefixed with the
 \(oq#\(cq
 character (e.g.,
-\fR#0\fR
+\(oq#0\(cq
 for GID 0).
 When running a command as a GID, many shells require that the
 \(oq#\(cq
@@ -574,7 +570,7 @@ policy:
 .RS 12n
 .PD 0
 .TP 4n
-\fR%H\fR
+%H
 expanded to the host name including the domain name (only if the
 machine's host name is fully qualified or the
 \fIfqdn\fR
@@ -582,10 +578,10 @@ option is set in
 sudoers(@mansectform@))
 .PD
 .TP 4n
-\fR%h\fR
+%h
 expanded to the local host name without the domain name
 .TP 4n
-\fR%p\fR
+%p
 expanded to the name of the user whose password is being requested
 (respects the
 \fIrootpw\fR,
@@ -595,16 +591,16 @@ and
 flags in
 sudoers(@mansectform@))
 .TP 4n
-\fR\&%U\fR
+\&%U
 expanded to the login name of the user the command will be run as
 (defaults to root unless the
 \fB\-u\fR
 option is also specified)
 .TP 4n
-\fR%u\fR
+%u
 expanded to the invoking user's login name
 .TP 4n
-\fR%%\fR
+%%
 two consecutive
 \(oq%\(cq
 characters are collapsed into a single
@@ -707,7 +703,7 @@ may be either a user name or a numeric user-ID
 prefixed with the
 \(oq#\(cq
 character (e.g.,
-\fR#0\fR
+\(oq#0\(cq
 for UID 0).
 When running commands as a UID, many shells require that the
 \(oq#\(cq
@@ -740,9 +736,7 @@ For the
 \fIsudoers\fR
 plugin, this extends the
 \fBsudo\fR
-timeout for another
+timeout for another @timeout@ minutes by default, but does not run a command.
 \fR@timeout@\fR
 minutes by default, but does not run a command.
 Not all security policies support cached credentials.
 .TP 12n
 \fB\--\fR
@@ -778,7 +772,7 @@ option is set in
 the command to be run has the
 \fRSETENV\fR
 tag set or the command matched is
-\fRALL\fR,
+\fBALL\fR,
 the user may set variables that would otherwise be forbidden.
 See
 sudoers(@mansectform@)
@@ -986,7 +980,7 @@ run in a new pty,
 may execute the command directly instead of running it as a child process.
 .SS "Plugins"
 Plugins may be specified via
-\fRPlugin\fR
+\fIPlugin\fR
 directives in the
 sudo.conf(@mansectform@)
 file.
@@ -997,7 +991,7 @@ binary.
 If no
 sudo.conf(@mansectform@)
 file is present, or if it doesn't contain any
-\fRPlugin\fR
+\fIPlugin\fR
 lines,
 \fBsudo\fR
 will use
@@ -1086,9 +1080,9 @@ By default,
 \fBsudo\fR
 will only log the command it explicitly runs.
 If a user runs a command such as
-\fRsudo su\fR
+\(oqsudo su\(cq
 or
-\fRsudo sh\fR,
+\(oqsudo sh\(cq,
 subsequent commands run from that shell are not subject to
 \fBsudo\fR's
 security policy.
@@ -1176,7 +1170,7 @@ or when
 is enabled in
 \fIsudoers\fR
 and
-\fIHOME\fR
+\fRHOME\fR
 is not present in the
 \fIenv_keep\fR
 list.
@@ -1226,8 +1220,7 @@ Default editor to use in
 Set to the group-ID of the user who invoked sudo.
 .TP 17n
 \fRSUDO_PROMPT\fR
-Used as the default password prompt unless
+Used as the default password prompt unless the
 the
 \fB\-p\fR
 option was specified.
 .TP 17n
@@ -1315,7 +1308,7 @@ $ sudo shutdown -r +15 "quick reboot"
 .PP
 To make a usage listing of the directories in the /home partition.
 The commands are run in a sub-shell to allow the
-\fRcd\fR
+\(oqcd\(cq
 command and file redirection to work.
 .nf
 .sp
@@ -1500,7 +1493,7 @@ plugin's
 functionality.
 .PP
 It is not meaningful to run the
-\fRcd\fR
+\(oqcd\(cq
 command directly via sudo, e.g.,
 .nf
 .sp
--- a/docs/sudo.mdoc.in
+++ b/docs/sudo.mdoc.in
@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd August 2, 2022
+.Dd September 13, 2022
 .Dt SUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -139,9 +139,7 @@ time limit.
 This limit is policy-specific; the default password prompt timeout
 for the
 .Em sudoers
-security policy is
+security policy is @password_timeout@ minutes.
 .Li @password_timeout@
 minutes.
 .Pp
 Security policies may support credential caching to allow the user
 to run
@@ -149,9 +147,7 @@ to run
 again for a period of time without requiring authentication.
 By default, the
 .Em sudoers
-policy caches credentials on a per-terminal basis for
+policy caches credentials on a per-terminal basis for @timeout@ minutes.
 .Li @timeout@
 minutes.
 See the
 .Em timestamp_type
 and
@@ -380,7 +376,7 @@ may be either a group name or a numeric group-ID
 prefixed with the
 .Ql #
 character (e.g.,
-.Li #0
+.Ql #0
 for GID 0).
 When running a command as a GID, many shells require that the
 .Ql #
@@ -537,15 +533,15 @@ escape sequences are supported by the
 .Em sudoers
 policy:
 .Bl -tag -width 2n
-.It Li %H
+.It %H
 expanded to the host name including the domain name (only if the
 machine's host name is fully qualified or the
 .Em fqdn
 option is set in
 .Xr sudoers @mansectform@ )
-.It Li %h
+.It %h
 expanded to the local host name without the domain name
-.It Li %p
+.It %p
 expanded to the name of the user whose password is being requested
 (respects the
 .Em rootpw ,
@@ -554,14 +550,14 @@ and
 .Em runaspw
 flags in
 .Xr sudoers @mansectform@ )
-.It Li \&%U
+.It \&%U
 expanded to the login name of the user the command will be run as
 (defaults to root unless the
 .Fl u
 option is also specified)
-.It Li %u
+.It %u
 expanded to the invoking user's login name
-.It Li %%
+.It %%
 two consecutive
 .Ql %
 characters are collapsed into a single
@@ -656,7 +652,7 @@ may be either a user name or a numeric user-ID
 prefixed with the
 .Ql #
 character (e.g.,
-.Li #0
+.Ql #0
 for UID 0).
 When running commands as a UID, many shells require that the
 .Ql #
@@ -687,9 +683,7 @@ For the
 .Em sudoers
 plugin, this extends the
 .Nm
-timeout for another
+timeout for another @timeout@ minutes by default, but does not run a command.
 .Li @timeout@
 minutes by default, but does not run a command.
 Not all security policies support cached credentials.
 .It Fl -
 The
@@ -723,9 +717,9 @@ If the
 option is set in
 .Em sudoers ,
 the command to be run has the
-.Li SETENV
+.Dv SETENV
 tag set or the command matched is
-.Li ALL ,
+.Sy ALL ,
 the user may set variables that would otherwise be forbidden.
 See
 .Xr sudoers @mansectform@
@@ -922,7 +916,7 @@ run in a new pty,
 may execute the command directly instead of running it as a child process.
 .Ss Plugins
 Plugins may be specified via
-.Li Plugin
+.Em Plugin
 directives in the
 .Xr sudo.conf @mansectform@
 file.
@@ -933,7 +927,7 @@ binary.
 If no
 .Xr sudo.conf @mansectform@
 file is present, or if it doesn't contain any
-.Li Plugin
+.Em Plugin
 lines,
 .Nm
 will use
@@ -1022,9 +1016,9 @@ By default,
 .Nm
 will only log the command it explicitly runs.
 If a user runs a command such as
-.Li sudo su
+.Ql sudo su
 or
-.Li sudo sh ,
+.Ql sudo sh ,
 subsequent commands run from that shell are not subject to
 .Nm sudo Ns 's
 security policy.
@@ -1107,7 +1101,7 @@ or when
 is enabled in
 .Em sudoers
 and
-.Em HOME
+.Ev HOME
 is not present in the
 .Em env_keep
 list.
@@ -1149,8 +1143,7 @@ Default editor to use in
 .It Ev SUDO_GID
 Set to the group-ID of the user who invoked sudo.
 .It Ev SUDO_PROMPT
-Used as the default password prompt unless
+Used as the default password prompt unless the
 the
 .Fl p
 option was specified.
 .It Ev SUDO_PS1
@@ -1217,7 +1210,7 @@ $ sudo shutdown -r +15 "quick reboot"
 .Pp
 To make a usage listing of the directories in the /home partition.
 The commands are run in a sub-shell to allow the
-.Li cd
+.Ql cd
 command and file redirection to work.
 .Bd -literal -offset 4n
 $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
@@ -1385,7 +1378,7 @@ plugin's
 functionality.
 .Pp
 It is not meaningful to run the
-.Li cd
+.Ql cd
 command directly via sudo, e.g.,
 .Bd -literal -offset 4n
 $ sudo cd /usr/local/protected
--- a/docs/sudo_logsrv.proto.man.in
+++ b/docs/sudo_logsrv.proto.man.in
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_LOGSRV.PROTO" "@mansectform@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO_LOGSRV.PROTO" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -93,7 +93,7 @@ message TimeSpec {
 A
 \fITimeSpec\fR
 is the equivalent of a POSIX
-\fRstruct timespec\fR,
+\fIstruct timespec\fR,
 containing seconds and nanoseconds members.
 The
 \fItv_sec\fR
--- a/docs/sudo_logsrv.proto.mdoc.in
+++ b/docs/sudo_logsrv.proto.mdoc.in
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd February 16, 2022
+.Dd September 13, 2022
 .Dt SUDO_LOGSRV.PROTO @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -87,7 +87,7 @@ message TimeSpec {
 A
 .Em TimeSpec
 is the equivalent of a POSIX
-.Li struct timespec ,
+.Vt struct timespec ,
 containing seconds and nanoseconds members.
 The
 .Em tv_sec
@@ -237,10 +237,10 @@ If the command was terminated by a signal, this is set to the
 name of the signal without the leading
 .Dq SIG .
 For example,
-.Li INT ,
+.Dv INT ,
-.Li TERM ,
+.Dv TERM ,
-.Li KILL ,
+.Dv KILL ,
-.Li SEGV .
+.Dv SEGV .
 .It error
 A message from the client indicating that the command was terminated
 unexpectedly due to an error.
@@ -397,9 +397,9 @@ should be calculated using a monotonic clock where possible.
 The signal name without the leading
 .Dq SIG .
 For example,
-.Li STOP ,
+.Dv STOP ,
-.Li TSTP ,
+.Dv TSTP ,
-.Li CONT .
+.Dv CONT .
 .El
 .Sh Server Messages
 A
--- a/docs/sudo_logsrvd.conf.man.in
+++ b/docs/sudo_logsrvd.conf.man.in
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -168,14 +168,16 @@ will enable the TCP keepalive socket option on the client connection.
 This enables the periodic transmission of keepalive messages to the client.
 If the client does not respond to a message in time, the connection will
 be closed.
-Defaults to true.
+Defaults to
 \fItrue\fR.
 .TP 10n
 timeout = number
 The amount of time, in seconds,
 \fBsudo_logsrvd\fR
 will wait for the client to respond.
 A value of 0 will disable the timeout.
-The default value is 30.
+The default value is
 \fI30\fR.
 .TP 10n
 tls_cacert = path
 The path to a certificate authority bundle file, in PEM format,
@@ -202,7 +204,7 @@ authority, the
 setting must be set to a CA bundle that contains the CA certificate
 used to generate the client certificate.
 The default value is
-\fRfalse\fR.
+\fIfalse\fR.
 .TP 10n
 tls_ciphers_v12 = string
 A list of ciphers to use for connections secured by TLS version 1.2 only,
@@ -214,7 +216,7 @@ section in
 openssl-ciphers(1)
 for full details.
 The default value is
-\fRHIGH:!aNULL\fR
+\(lqHIGH:!aNULL\(rq
 which consists of encryption cipher suites with key lengths larger than
 128 bits, and some cipher suites with 128-bit keys.
 Cipher suites that offer no authentication are excluded.
@@ -241,7 +243,8 @@ TLS_AES_128_CCM_8_SHA256
 .RE
 .RS 10n
 .sp
-The default cipher suite is TLS_AES_256_GCM_SHA384.
+The default cipher suite is
 \(lqTLS_AES_256_GCM_SHA384\(rq.
 .RE
 .PD
 .TP 10n
@@ -274,7 +277,8 @@ configuration is changed.
 If false, no verification is performed of the server certificate.
 When using self-signed certificates without a certificate authority,
 this setting should be set to false.
-The default value is true.
+The default value is
 \fItrue\fR.
 .SS "relay"
 The
 \fIrelay\fR
@@ -301,7 +305,8 @@ setting controls the amount of time
 \fBsudo_logsrvd\fR
 will wait for the relay to respond.
 A value of 0 will disable the timeout.
-The default value is 30.
+The default value is
 \fI30\fR.
 .TP 10n
 relay_dir = path
 The directory in which log messages are temporarily stored before they
@@ -339,7 +344,8 @@ lines are specified, the first available relay host will be used.
 retry_interval = number
 The number of seconds to wait after a connection error before making
 a new attempt to forward a message to a relay host.
-The default value is 30 seconds.
+The default value is
 \fI30\fR.
 .TP 10n
 store_first = boolean
 If true,
@@ -365,7 +371,8 @@ The amount of time, in seconds,
 \fBsudo_logsrvd\fR
 will wait for the relay server to respond after a connection has succeeded.
 A value of 0 will disable the timeout.
-The default value is 30.
+The default value is
 \fI30\fR.
 .TP 10n
 tls_cacert = path
 The path to a certificate authority bundle file, in PEM format,
@@ -455,7 +462,7 @@ If set, I/O logs will be compressed using
 Enabling compression can make it harder to view the logs in real-time as
 the program is executing due to buffering.
 The default value is
-\fRfalse\fR.
+\fIfalse\fR.
 .TP 10n
 iolog_dir = path
 The top-level directory to use when constructing the path
@@ -471,30 +478,30 @@ escape sequences are supported:
 .RS 10n
 .PD 0
 .TP 6n
-\fR%{seq}\fR
+%{seq}
 expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
 where every two digits are used to form a new directory, e.g.,
 \fI01/00/A5\fR
 .PD
 .TP 6n
-\fR%{user}\fR
+%{user}
 expanded to the invoking user's login name
 .TP 6n
-\fR%{group}\fR
+%{group}
 expanded to the name of the invoking user's real group-ID
 .TP 6n
-\fR%{runas_user}\fR
+%{runas_user}
 expanded to the login name of the user the command will
 be run as (e.g., root)
 .TP 6n
-\fR%{runas_group}\fR
+%{runas_group}
 expanded to the group name of the user the command will
 be run as (e.g., wheel)
 .TP 6n
-\fR%{hostname}\fR
+%{hostname}
 expanded to the local host name without the domain name
 .TP 6n
-\fR%{command}\fR
+%{command}
 expanded to the base name of the command being run
 .PP
 In addition, any escape sequences supported by the system's
@@ -516,7 +523,7 @@ It is possible for
 \fIiolog_file\fR
 to contain directory components.
 The default value is
-\fR%{seq}\fR.
+\(lq%{seq}\(rq.
 .sp
 See the
 \fIiolog_dir\fR
@@ -526,9 +533,9 @@ escape sequences.
 .sp
 In addition to the escape sequences, path names that end in six or
 more
-\fRX\fRs
+\fIX\fRs
 will have the
-\fRX\fRs
+\fIX\fRs
 replaced with a unique combination of digits and letters, similar to the
 mktemp(3)
 function.
@@ -542,7 +549,7 @@ overwritten unless
 \fIiolog_file\fR
 ends in six or
 more
-\fRX\fRs.
+\fIX\fRs.
 .TP 10n
 iolog_flush = boolean
 If set, I/O log data is flushed to disk after each write instead of
@@ -553,7 +560,7 @@ of I/O log compression.
 I/O logs are always flushed before sending a commit point to the client
 regardless of this setting.
 The default value is
-\fRtrue\fR.
+\fItrue\fR.
 .TP 10n
 iolog_group = name
 The group name to look up when setting the group-ID on new I/O log
@@ -579,7 +586,7 @@ When creating I/O log directories, search (execute) bits are added
 to match the read and write bits specified by
 \fIiolog_mode\fR.
 The default value is
-\fR0600\fR.
+\fI0600\fR.
 .TP 10n
 iolog_user = name
 The user name to look up when setting the owner of new
@@ -599,7 +606,7 @@ the password will still be present in the I/O log.
 If
 \fIlog_passwords\fR
 is set to
-\fRfalse\fR,
+\fIfalse\fR,
 \fBsudo_logsrvd\fR
 will attempt to prevent passwords from being logged.
 It does this by using the regular expressions in
@@ -617,16 +624,16 @@ when the
 option is set), only the
 first character of the password will be replaced in the I/O log.
 The default value is
-\fRtrue\fR.
+\fItrue\fR.
 .TP 10n
 maxseq = number
 The maximum sequence number that will be substituted for the
-\(lq\fR%{seq}\fR\(rq
+\(lq%{seq}\(rq
 escape in the I/O log file (see the
 \fIiolog_dir\fR
 description above for more information).
 While the value substituted for
-\(lq\fR%{seq}\fR\(rq
+\(lq%{seq}\(rq
 is in base 36,
 \fImaxseq\fR
 itself should be expressed in decimal.
@@ -634,7 +641,8 @@ Values larger than 2176782336 (which corresponds to the
 base 36 sequence number
 \(lqZZZZZZ\(rq)
 will be silently truncated to 2176782336.
-The default value is 2176782336.
+The default value is
 \fI2176782336\fR.
 .TP 10n
 passprompt_regex = string
 One or more POSIX extended regular expressions used to
@@ -669,7 +677,8 @@ log_exit = boolean
 If true,
 \fBsudo_logsrvd\fR
 will log an event when a command exits or is terminated by a signal.
-Defaults to false.
+Defaults to
 \fIfalse\fR.
 .TP 6n
 log_format = string
 The event log format.
@@ -691,7 +700,7 @@ syslog(3).
 facility = string
 Syslog facility if syslog is being used for logging.
 Defaults to
-\fR@logfac@\fR.
+\fI@logfac@\fR.
 .sp
 The following syslog facilities are supported:
 \fBauthpriv\fR
@@ -714,7 +723,7 @@ accept_priority = string
 Syslog priority to use when the user is allowed to run a command and
 authentication is successful.
 Defaults to
-\fR@goodpri@\fR.
+\fI@goodpri@\fR.
 .sp
 The following syslog priorities are supported:
 \fBalert\fR,
@@ -735,7 +744,7 @@ reject_priority = string
 Syslog priority to use when the user is not allowed to run a command or
 when authentication is unsuccessful.
 Defaults to
-\fR@badpri@\fR.
+\fI@badpri@\fR.
 .sp
 See
 \fIaccept_priority\fR
@@ -744,7 +753,7 @@ for the list of supported syslog priorities.
 alert_priority = string
 Syslog priority to use for event log alert messages received from the client.
 Defaults to
-\fR@badpri@\fR.
+\fI@badpri@\fR.
 .sp
 See
 \fIaccept_priority\fR
@@ -779,7 +788,7 @@ server_facility = string
 Syslog facility if syslog is being used for server warning messages.
 See above for a list of supported facilities.
 Defaults to
-\fRdaemon\fR
+\fIdaemon\fR
 .SS "logfile"
 The
 \fIlogfile\fR
@@ -800,10 +809,12 @@ Formatting is performed via the system's
 strftime(3)
 function so any escape sequences supported by that function will be expanded.
 The default value is
-\(lq\fR%h %e %T\fR\(rq
+\(lq%h %e %T\(rq
 which produces dates like
 \(lqOct 3 07:15:24\(rq
-in the C locale.
+in the
 \(oqC\(cq
 locale.
 .SH "FILES"
 .TP 26n
 \fI@sysconfdir@/sudo_logsrvd.conf\fR
--- a/docs/sudo_logsrvd.conf.mdoc.in
+++ b/docs/sudo_logsrvd.conf.mdoc.in
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd February 16, 2022
+.Dd September 13, 2022
 .Dt SUDO_LOGSRVD.CONF @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -152,13 +152,15 @@ will enable the TCP keepalive socket option on the client connection.
 This enables the periodic transmission of keepalive messages to the client.
 If the client does not respond to a message in time, the connection will
 be closed.
-Defaults to true.
+Defaults to
 .Em true .
 .It timeout = number
 The amount of time, in seconds,
 .Nm sudo_logsrvd
 will wait for the client to respond.
 A value of 0 will disable the timeout.
-The default value is 30.
+The default value is
 .Em 30 .
 .It tls_cacert = path
 The path to a certificate authority bundle file, in PEM format,
 to use instead of the system's default certificate authority database
@@ -182,7 +184,7 @@ authority, the
 setting must be set to a CA bundle that contains the CA certificate
 used to generate the client certificate.
 The default value is
-.Li false .
+.Em false .
 .It tls_ciphers_v12 = string
 A list of ciphers to use for connections secured by TLS version 1.2 only,
 separated by a colon
@@ -193,7 +195,7 @@ section in
 .Xr openssl-ciphers 1
 for full details.
 The default value is
-.Li HIGH:!aNULL
+.Dq HIGH:!aNULL
 which consists of encryption cipher suites with key lengths larger than
 128 bits, and some cipher suites with 128-bit keys.
 Cipher suites that offer no authentication are excluded.
@@ -212,7 +214,8 @@ but should include the following:
 .It TLS_AES_128_CCM_8_SHA256
 .El
 .Pp
-The default cipher suite is TLS_AES_256_GCM_SHA384.
+The default cipher suite is
 .Dq TLS_AES_256_GCM_SHA384 .
 .It tls_dhparams = path
 The path to a file containing custom Diffie-Hellman parameters in PEM format.
 This file can be created with the following command:
@@ -235,7 +238,8 @@ configuration is changed.
 If false, no verification is performed of the server certificate.
 When using self-signed certificates without a certificate authority,
 this setting should be set to false.
-The default value is true.
+The default value is
 .Em true .
 .El
 .Ss relay
 The
@@ -263,7 +267,8 @@ setting controls the amount of time
 .Nm sudo_logsrvd
 will wait for the relay to respond.
 A value of 0 will disable the timeout.
-The default value is 30.
+The default value is
 .Em 30 .
 .It relay_dir = path
 The directory in which log messages are temporarily stored before they
 are sent to the relay host.
@@ -298,7 +303,8 @@ lines are specified, the first available relay host will be used.
 .It retry_interval = number
 The number of seconds to wait after a connection error before making
 a new attempt to forward a message to a relay host.
-The default value is 30 seconds.
+The default value is
 .Em 30 .
 .It store_first = boolean
 If true,
 .Nm sudo_logsrvd
@@ -321,7 +327,8 @@ The amount of time, in seconds,
 .Nm sudo_logsrvd
 will wait for the relay server to respond after a connection has succeeded.
 A value of 0 will disable the timeout.
-The default value is 30.
+The default value is
 .Em 30 .
 .It tls_cacert = path
 The path to a certificate authority bundle file, in PEM format,
 to use instead of the system's default certificate authority database
@@ -404,7 +411,7 @@ If set, I/O logs will be compressed using
 Enabling compression can make it harder to view the logs in real-time as
 the program is executing due to buffering.
 The default value is
-.Li false .
+.Em false .
 .It iolog_dir = path
 The top-level directory to use when constructing the path
 name for the I/O log directory.
@@ -416,23 +423,23 @@ The following percent
 .Pq Ql %
 escape sequences are supported:
 .Bl -tag -width 4n
-.It Li %{seq}
+.It %{seq}
 expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
 where every two digits are used to form a new directory, e.g.,
 .Pa 01/00/A5
-.It Li %{user}
+.It %{user}
 expanded to the invoking user's login name
-.It Li %{group}
+.It %{group}
 expanded to the name of the invoking user's real group-ID
-.It Li %{runas_user}
+.It %{runas_user}
 expanded to the login name of the user the command will
 be run as (e.g., root)
-.It Li %{runas_group}
+.It %{runas_group}
 expanded to the group name of the user the command will
 be run as (e.g., wheel)
-.It Li %{hostname}
+.It %{hostname}
 expanded to the local host name without the domain name
-.It Li %{command}
+.It %{command}
 expanded to the base name of the command being run
 .El
 .Pp
@@ -453,7 +460,7 @@ It is possible for
 .Em iolog_file
 to contain directory components.
 The default value is
-.Li %{seq} .
+.Dq %{seq} .
 .Pp
 See the
 .Em iolog_dir
@@ -463,9 +470,9 @@ escape sequences.
 .Pp
 In addition to the escape sequences, path names that end in six or
 more
-.Li X Ns s
+.Em X Ns s
 will have the
-.Li X Ns s
+.Em X Ns s
 replaced with a unique combination of digits and letters, similar to the
 .Xr mktemp 3
 function.
@@ -479,7 +486,7 @@ overwritten unless
 .Em iolog_file
 ends in six or
 more
-.Li X Ns s .
+.Em X Ns s .
 .It iolog_flush = boolean
 If set, I/O log data is flushed to disk after each write instead of
 buffering it.
@@ -489,7 +496,7 @@ of I/O log compression.
 I/O logs are always flushed before sending a commit point to the client
 regardless of this setting.
 The default value is
-.Li true .
+.Em true .
 .It iolog_group = name
 The group name to look up when setting the group-ID on new I/O log
 files and directories.
@@ -513,7 +520,7 @@ When creating I/O log directories, search (execute) bits are added
 to match the read and write bits specified by
 .Em iolog_mode .
 The default value is
-.Li 0600 .
+.Em 0600 .
 .It iolog_user = name
 The user name to look up when setting the owner of new
 I/O log files and directories.
@@ -531,7 +538,7 @@ the password will still be present in the I/O log.
 If
 .Em log_passwords
 is set to
-.Li false ,
+.Em false ,
 .Nm sudo_logsrvd
 will attempt to prevent passwords from being logged.
 It does this by using the regular expressions in
@@ -549,15 +556,15 @@ when the
 option is set), only the
 first character of the password will be replaced in the I/O log.
 The default value is
-.Li true .
+.Em true .
 .It maxseq = number
 The maximum sequence number that will be substituted for the
-.Dq Li %{seq}
+.Dq %{seq}
 escape in the I/O log file (see the
 .Em iolog_dir
 description above for more information).
 While the value substituted for
-.Dq Li %{seq}
+.Dq %{seq}
 is in base 36,
 .Em maxseq
 itself should be expressed in decimal.
@@ -565,7 +572,8 @@ Values larger than 2176782336 (which corresponds to the
 base 36 sequence number
 .Dq ZZZZZZ )
 will be silently truncated to 2176782336.
-The default value is 2176782336.
+The default value is
 .Em 2176782336 .
 .It passprompt_regex = string
 One or more POSIX extended regular expressions used to
 match password prompts in the terminal output when
@@ -599,7 +607,8 @@ The default value is
 If true,
 .Nm sudo_logsrvd
 will log an event when a command exits or is terminated by a signal.
-Defaults to false.
+Defaults to
 .Em false .
 .It log_format = string
 The event log format.
 Supported log formats are
@@ -621,7 +630,7 @@ section configures how events are logged via
 .It facility = string
 Syslog facility if syslog is being used for logging.
 Defaults to
-.Li @logfac@ .
+.Em @logfac@ .
 .Pp
 The following syslog facilities are supported:
 .Sy authpriv
@@ -643,7 +652,7 @@ and
 Syslog priority to use when the user is allowed to run a command and
 authentication is successful.
 Defaults to
-.Li @goodpri@ .
+.Em @goodpri@ .
 .Pp
 The following syslog priorities are supported:
 .Sy alert ,
@@ -663,7 +672,7 @@ will disable logging of successful commands.
 Syslog priority to use when the user is not allowed to run a command or
 when authentication is unsuccessful.
 Defaults to
-.Li @badpri@ .
+.Em @badpri@ .
 .Pp
 See
 .Em accept_priority
@@ -671,7 +680,7 @@ for the list of supported syslog priorities.
 .It alert_priority = string
 Syslog priority to use for event log alert messages received from the client.
 Defaults to
-.Li @badpri@ .
+.Em @badpri@ .
 .Pp
 See
 .Em accept_priority
@@ -704,7 +713,7 @@ JSON-format log entries are never split and are not affected by
 Syslog facility if syslog is being used for server warning messages.
 See above for a list of supported facilities.
 Defaults to
-.Li daemon
+.Em daemon
 .El
 .Ss logfile
 The
@@ -725,10 +734,12 @@ Formatting is performed via the system's
 .Xr strftime 3
 function so any escape sequences supported by that function will be expanded.
 The default value is
-.Dq Li "%h %e %T"
+.Dq "%h %e %T"
 which produces dates like
 .Dq Oct  3 07:15:24
-in the C locale.
+in the
 .Ql C
 locale.
 .El
 .Sh FILES
 .Bl -tag -width 24n
--- a/docs/sudo_logsrvd.man.in
+++ b/docs/sudo_logsrvd.man.in
@@ -117,7 +117,7 @@ section.
 .SS "Debugging sudo_logsrvd"
 \fBsudo_logsrvd\fR
 supports a flexible debugging framework that is configured via
-\fRDebug\fR
+\fIDebug\fR
 lines in the
 sudo.conf(@mansectform@)
 file.
--- a/docs/sudo_logsrvd.mdoc.in
+++ b/docs/sudo_logsrvd.mdoc.in
@@ -112,7 +112,7 @@ section.
 .Ss Debugging sudo_logsrvd
 .Nm
 supports a flexible debugging framework that is configured via
-.Li Debug
+.Em Debug
 lines in the
 .Xr sudo.conf @mansectform@
 file.
--- a/docs/sudo_plugin.man.in
+++ b/docs/sudo_plugin.man.in
@@ -236,7 +236,7 @@ Only available starting with API version 1.16.
 debug_flags=string
 A debug file path name followed by a space and a comma-separated
 list of debug flags that correspond to the plugin's
-\fRDebug\fR
+\fIDebug\fR
 entry in
 sudo.conf(@mansectform@),
 if there is one.
@@ -265,7 +265,7 @@ will only pass
 if
 sudo.conf(@mansectform@)
 contains a plugin-specific
-\fRDebug\fR
+\fIDebug\fR
 entry.
 .TP 6n
 ignore_ticket=bool
@@ -677,7 +677,7 @@ tty=string
 The path to the user's terminal device.
 If the user has no terminal device associated with the session,
 the value will be empty, as in
-\(lq\fRtty=\fR\(rq.
+\(oqtty=\(cq.
 .TP 6n
 uid=uid_t
 The real user-ID of the user invoking
@@ -921,10 +921,10 @@ into
 \fIargv_out\fR,
 separated from the
 editor and its arguments by a
-\(lq\fR--\fR\(rq
+\(oq--\(cq
 element.
 The
-\(lq\fR--\fR\(rq
+\(oq--\(cq
 will be removed by
 \fBsudo\fR
 before the editor is executed.
--- a/docs/sudo_plugin.mdoc.in
+++ b/docs/sudo_plugin.mdoc.in
@@ -216,7 +216,7 @@ Only available starting with API version 1.16.
 .It debug_flags=string
 A debug file path name followed by a space and a comma-separated
 list of debug flags that correspond to the plugin's
-.Li Debug
+.Em Debug
 entry in
 .Xr sudo.conf @mansectform@ ,
 if there is one.
@@ -245,7 +245,7 @@ will only pass
 if
 .Xr sudo.conf @mansectform@
 contains a plugin-specific
-.Li Debug
+.Em Debug
 entry.
 .It ignore_ticket=bool
 Set to true if the user specified the
@@ -603,7 +603,7 @@ Only available starting with API version 1.2.
 The path to the user's terminal device.
 If the user has no terminal device associated with the session,
 the value will be empty, as in
-.Dq Li tty= .
+.Ql tty= .
 .It uid=uid_t
 The real user-ID of the user invoking
 .Nm sudo .
@@ -819,10 +819,10 @@ into
 .Fa argv_out ,
 separated from the
 editor and its arguments by a
-.Dq Li --
+.Ql --
 element.
 The
-.Dq Li --
+.Ql --
 will be removed by
 .Nm sudo
 before the editor is executed.
--- a/docs/sudo_sendlog.man.in
+++ b/docs/sudo_sendlog.man.in
@@ -154,7 +154,7 @@ version and exit.
 .SS "Debugging sendlog"
 \fBsudo_sendlog\fR
 supports a flexible debugging framework that is configured via
-\fRDebug\fR
+\fIDebug\fR
 lines in the
 sudo.conf(@mansectform@)
 file.
--- a/docs/sudo_sendlog.mdoc.in
+++ b/docs/sudo_sendlog.mdoc.in
@@ -139,7 +139,7 @@ version and exit.
 .Ss Debugging sendlog
 .Nm
 supports a flexible debugging framework that is configured via
-.Li Debug
+.Em Debug
 lines in the
 .Xr sudo.conf @mansectform@
 file.
--- a/docs/sudoers.ldap.man.in
+++ b/docs/sudoers.ldap.man.in
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDOERS.LDAP" "@mansectform@" "July 25, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS.LDAP" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -69,16 +69,16 @@ is no need for a specialized tool to check syntax.
 The
 \fIsudoers\fR
 configuration is contained in the
-\fRou=SUDOers\fR
+\(oqou=SUDOers\(cq
 LDAP container.
 .PP
 Sudo first looks for the
-\fRcn=defaults\fR
+\(oqcn=defaults\(cq
 entry in the SUDOers container.
 If found, the multi-valued
-\fRsudoOption\fR
+\fIsudoOption\fR
 attribute is parsed in the same manner as a global
-\fRDefaults\fR
+\fIDefaults\fR
 line in
 \fI@sysconfdir@/sudoers\fR.
 In the following example, the
@@ -97,7 +97,7 @@ sudoOption: env_keep+=SSH_AUTH_SOCK
 .fi
 .PP
 The equivalent of a sudoer in LDAP is a
-\fRsudoRole\fR.
+\fIsudoRole\fR.
 It consists of the following attributes:
 .TP 6n
 \fBsudoUser\fR
@@ -120,36 +120,36 @@ Non-Unix group support is only available when an appropriate
 \fIgroup_plugin\fR
 is defined in the global
 \fIdefaults\fR
-\fRsudoRole\fR
+\fIsudoRole\fR
 object.
 If a
-\fRsudoUser\fR
+\fIsudoUser\fR
 entry is preceded by an exclamation point,
 \(oq\&!\(cq,
 and the entry matches, the
-\fRsudoRole\fR
+\fIsudoRole\fR
 in which it resides will be ignored.
 Negated
-\fRsudoUser\fR
+\fIsudoUser\fR
 entries are only supported by version 1.9.9 or higher.
 .TP 6n
 \fBsudoHost\fR
 A host name, IP address, IP network, or host netgroup (prefixed with a
 \(oq+\(cq).
 The special value
-\fRALL\fR
+\fBALL\fR
 will match any host.
 Host netgroups are matched using the host (both qualified and unqualified)
 and domain members only; the user member is not used when matching.
 If a
-\fRsudoHost\fR
+\fIsudoHost\fR
 entry is preceded by an exclamation point,
 \(oq\&!\(cq,
 and the entry matches, the
-\fRsudoRole\fR
+\fIsudoRole\fR
 in which it resides will be ignored.
 Negated
-\fRsudoHost\fR
+\fIsudoHost\fR
 entries are only supported by version 1.8.18 or higher.
 .TP 6n
 \fBsudoCommand\fR
@@ -160,7 +160,7 @@ If a command name is preceded by an exclamation point,
 the user will be prohibited from running that command.
 .sp
 The built-in command
-\(lq\fRsudoedit\fR\(rq
+\(lqsudoedit\(rq
 is used to permit a user to run
 \fBsudo\fR
 with the
@@ -169,13 +169,13 @@ option (or as
 \fBsudoedit\fR).
 It may take command line arguments just as a normal command does.
 Unlike other commands,
-\(lq\fRsudoedit\fR\(rq
+\(lqsudoedit\(rq
 is a built into
 \fBsudo\fR
 itself and must be specified in without a leading path.
 .sp
 The special value
-\fRALL\fR
+\fBALL\fR
 will match any command.
 .sp
 If a command name is prefixed with a SHA-2 digest, it will
@@ -205,7 +205,7 @@ Command digests are only supported by version 1.8.7 or higher.
 \fBsudoOption\fR
 Identical in function to the global options described above, but
 specific to the
-\fRsudoRole\fR
+\fIsudoRole\fR
 in which it resides.
 .TP 6n
 \fBsudoRunAsUser\fR
@@ -217,30 +217,29 @@ or user netgroup (prefixed with a
 \(oq+\(cq)
 that contains a list of users that commands may be run as.
 The special value
-\fRALL\fR
+\fBALL\fR
 will match any user.
 If a
-\fRsudoRunAsUser\fR
+\fIsudoRunAsUser\fR
 entry is preceded by an exclamation point,
 \(oq\&!\(cq,
 and the entry matches, the
-\fRsudoRole\fR
+\fIsudoRole\fR
 in which it resides will be ignored.
 If
-\fRsudoRunAsUser\fR
+\fIsudoRunAsUser\fR
 is specified but empty, it will match the invoking user.
 If neither
-\fRsudoRunAsUser\fR
+\fIsudoRunAsUser\fR
 nor
-\fRsudoRunAsGroup\fR
+\fIsudoRunAsGroup\fR
 are present, the value of the
 \fIrunas_default\fR
-\fRsudoOption\fR
+\fIsudoOption\fR
-is used (defaults to
+is used (defaults to @runas_default@).
 \fR@runas_default@\fR).
 .sp
 The
-\fRsudoRunAsUser\fR
+\fIsudoRunAsUser\fR
 attribute is only available in
 \fBsudo\fR
 versions
@@ -248,10 +247,10 @@ versions
 Older versions of
 \fBsudo\fR
 use the
-\fRsudoRunAs\fR
+\fIsudoRunAs\fR
 attribute instead.
 Negated
-\fRsudoRunAsUser\fR
+\fIsudoRunAsUser\fR
 entries are only supported by version 1.8.26 or higher.
 .TP 6n
 \fBsudoRunAsGroup\fR
@@ -259,34 +258,34 @@ A Unix group or group-ID (prefixed with
 \(oq#\(cq)
 that commands may be run as.
 The special value
-\fRALL\fR
+\fBALL\fR
 will match any group.
 If a
-\fRsudoRunAsGroup\fR
+\fIsudoRunAsGroup\fR
 entry is preceded by an exclamation point,
 \(oq\&!\(cq,
 and the entry matches, the
-\fRsudoRole\fR
+\fIsudoRole\fR
 in which it resides will be ignored.
 .sp
 The
-\fRsudoRunAsGroup\fR
+\fIsudoRunAsGroup\fR
 attribute is only available in
 \fBsudo\fR
 versions
 1.7.0 and higher.
 Negated
-\fRsudoRunAsGroup\fR
+\fIsudoRunAsGroup\fR
 entries are only supported by version 1.8.26 or higher.
 .TP 6n
 \fBsudoNotBefore\fR
 A timestamp in the form
-\fRyyyymmddHHMMSSZ\fR
+\(oqyyyymmddHHMMSSZ\(cq
 that can be used to provide a start date/time for when the
-\fRsudoRole\fR
+\fIsudoRole\fR
 will be valid.
 If multiple
-\fRsudoNotBefore\fR
+\fIsudoNotBefore\fR
 entries are present, the earliest is used.
 Timestamps must be in Coordinated Universal Time (UTC),
 not the local timezone.
@@ -294,7 +293,7 @@ The minute and seconds portions are optional, but some LDAP servers
 require that they be present (contrary to the RFC).
 .sp
 The
-\fRsudoNotBefore\fR
+\fIsudoNotBefore\fR
 attribute is only available in
 \fBsudo\fR
 versions 1.7.5 and higher and must be explicitly enabled via the
@@ -304,12 +303,12 @@ option in
 .TP 6n
 \fBsudoNotAfter\fR
 A timestamp in the form
-\fRyyyymmddHHMMSSZ\fR
+\(oqyyyymmddHHMMSSZ\(cq
 that indicates an expiration date/time, after which the
-\fRsudoRole\fR
+\fIsudoRole\fR
 will no longer be valid.
 If multiple
-\fRsudoNotAfter\fR
+\fIsudoNotAfter\fR
 entries are present, the last one is used.
 Timestamps must be in Coordinated Universal Time (UTC),
 not the local timezone.
@@ -317,7 +316,7 @@ The minute and seconds portions are optional, but some LDAP servers
 require that they be present (contrary to the RFC).
 .sp
 The
-\fRsudoNotAfter\fR
+\fIsudoNotAfter\fR
 attribute is only available in
 \fBsudo\fR
 versions
@@ -328,26 +327,26 @@ option in
 .TP 6n
 \fBsudoOrder\fR
 The
-\fRsudoRole\fR
+\fIsudoRole\fR
 entries retrieved from the LDAP directory have no inherent order.
 The
-\fRsudoOrder\fR
+\fIsudoOrder\fR
 attribute is an integer (or floating point value for LDAP servers
 that support it) that is used to sort the matching entries.
 This allows LDAP-based sudoers entries to more closely mimic the behavior
 of the sudoers file, where the order of the entries influences the result.
 If multiple entries match, the entry with the highest
-\fRsudoOrder\fR
+\fIsudoOrder\fR
 attribute is chosen.
 This corresponds to the
 \(lqlast match\(rq
 behavior of the sudoers file.
 If the
-\fRsudoOrder\fR
+\fIsudoOrder\fR
 attribute is not present, a value of 0 is assumed.
 .sp
 The
-\fRsudoOrder\fR
+\fIsudoOrder\fR
 attribute is only available in
 \fBsudo\fR
 versions 1.7.5 and higher.
@@ -355,12 +354,12 @@ versions 1.7.5 and higher.
 Each attribute listed above should contain a single value, but there
 may be multiple instances of each attribute type.
 A
-\fRsudoRole\fR
+\fIsudoRole\fR
 must contain at least one
-\fRsudoUser\fR,
+\fIsudoUser\fR,
-\fRsudoHost\fR,
+\fIsudoHost\fR,
 and
-\fRsudoCommand\fR.
+\fIsudoCommand\fR.
 .PP
 The following example allows users in group wheel to run any command
 on any host via
@@ -384,7 +383,7 @@ The first query is to parse the global options.
 The second is to match against the user's name and the groups that
 the user belongs to.
 (The special
-\fRALL\fR
+\fBALL\fR
 tag is matched in this query too.)
 If no match is returned for the user's name and groups, a third
 query returns all entries containing user netgroups and other
@@ -411,12 +410,12 @@ are as follows:
 .TP 5n
 1.\&
 Match all
-\fRnisNetgroup\fR
+\fInisNetgroup\fR
 records with a
-\fRnisNetgroupTriple\fR
+\fInisNetgroupTriple\fR
 containing the user, host, and NIS domain.
 The query will match
-\fRnisNetgroupTriple\fR
+\fInisNetgroupTriple\fR
 entries with either the short or long form of the host name or
 no host name specified in the tuple.
 If the NIS domain is set, the query will match only match entries
@@ -425,13 +424,13 @@ If the NIS domain is
 \fInot\fR
 set, a wildcard is used to match any domain name but be aware that the
 NIS schema used by some LDAP servers may not support wild cards for
-\fRnisNetgroupTriple\fR.
+\fInisNetgroupTriple\fR.
 .TP 5n
 2.\&
 Repeated queries are performed to find any nested
-\fRnisNetgroup\fR
+\fInisNetgroup\fR
 records with a
-\fRmemberNisNetgroup\fR
+\fImemberNisNetgroup\fR
 entry that refers to an already-matched record.
 .PP
 For sites with a large number of netgroups, using
@@ -465,7 +464,7 @@ returned in any specific order.
 .PP
 The order in which different entries are applied can be controlled
 using the
-\fRsudoOrder\fR
+\fIsudoOrder\fR
 attribute, but there is no way to guarantee the order of attributes
 within a specific entry.
 If there are conflicting command rules in an entry, the negative
@@ -519,18 +518,18 @@ These cannot be converted automatically.
 For example, a Cmnd_Alias in a
 \fIsudoers\fR
 file may be converted to a
-\fRsudoRole\fR
+\fIsudoRole\fR
 that contains multiple commands.
 Multiple users and/or groups may be assigned to the
-\fRsudoRole\fR.
+\fIsudoRole\fR.
 .PP
 Also, host, user, runas, and command-based
-\fRDefaults\fR
+\fIDefaults\fR
 entries are not supported.
 However, a
-\fRsudoRole\fR
+\fIsudoRole\fR
 may contain one or more
-\fRsudoOption\fR
+\fIsudoOption\fR
 attributes which can often serve the same purpose.
 .PP
 Consider the following
@@ -590,7 +589,7 @@ Using a Unix group or netgroup in PAGERS rather than listing each
 user would make this easier to maintain.
 .PP
 Per-user
-\fRDefaults\fR
+\fIDefaults\fR
 entries can be emulated by using one or more sudoOption attributes
 in a sudoRole.
 Consider the following
@@ -637,7 +636,7 @@ LDAP support, the
 schema must be
 installed on your LDAP server.
 In addition, be sure to index the
-\fRsudoUser\fR
+\fIsudoUser\fR
 attribute.
 .PP
 The
@@ -797,31 +796,30 @@ The default value is protocol version 3.
 \fBNETGROUP_BASE\fR \fIbase\fR
 The base DN to use when performing LDAP netgroup queries.
 Typically this is of the form
-\fRou=netgroup,dc=my-domain,dc=com\fR
+\(oqou=netgroup,dc=my-domain,dc=com\(cq
-for the domain
+for the domain my-domain.com.
 \fRmy-domain.com\fR.
 Multiple
 \fBNETGROUP_BASE\fR
 lines may be specified, in which case they are queried in the order specified.
 .sp
 This option can be used to query a user's netgroups directly via LDAP
 which is usually faster than fetching every
-\fRsudoRole\fR
+\fIsudoRole\fR
 object containing a
-\fRsudoUser\fR
+\fIsudoUser\fR
 that begins with a
 \(oq+\(cq
 prefix.
 The NIS schema used by some LDAP servers need a modification to
 support querying the
-\fRnisNetgroup\fR
+\fInisNetgroup\fR
 object by its
-\fRnisNetgroupTriple\fR
+\fInisNetgroupTriple\fR
 member.
 OpenLDAP's
 \fBslapd\fR
 requires the following change to the
-\fRnisNetgroupTriple\fR
+\fInisNetgroupTriple\fR
 attribute:
 .nf
 .sp
@@ -837,13 +835,12 @@ attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
 \fBNETGROUP_SEARCH_FILTER\fR \fIldap_filter\fR
 An LDAP filter which is used to restrict the set of records returned
 when performing an LDAP netgroup query.
-Typically, this is of the
+Typically, this is of the form
-form
+\(oqattribute=value\(cq
 \fRattribute=value\fR
 or
-\fR(&(attribute=value)(attribute2=value2))\fR.
+\(oq(&(attribute=value)(attribute2=value2))\(cq.
 The default search filter is:
-\fRobjectClass=nisNetgroup\fR.
+\(oqobjectClass=nisNetgroup\(cq.
 If
 \fIldap_filter\fR
 is omitted, no search filter will be used.
@@ -928,10 +925,10 @@ This option is only relevant when using SASL authentication.
 If the
 \fBSSL\fR
 parameter is set to
-\fRon\fR,
+\fIon\fR,
-\fRtrue\fR,
+\fItrue\fR,
 or
-\fRyes\fR
+\fIyes\fR
 TLS (SSL) encryption is always used when communicating with the LDAP server.
 Typically, this involves connecting to the server on port 636 (ldaps).
 .TP 6n
@@ -939,7 +936,7 @@ Typically, this involves connecting to the server on port 636 (ldaps).
 If the
 \fBSSL\fR
 parameter is set to
-\fRstart_tls\fR,
+\fIstart_tls\fR,
 the LDAP server connection is initiated normally and TLS encryption is
 begun before the bind credentials are sent.
 This has the advantage of not requiring a dedicated port for encrypted
@@ -953,9 +950,8 @@ The base DN to use when performing
 \fBsudo\fR
 LDAP queries.
 Typically this is of the form
-\fRou=SUDOers,dc=my-domain,dc=com\fR
+\(oqou=SUDOers,dc=my-domain,dc=com\(cq
-for the domain
+for the domain my-domain.com.
 \fRmy-domain.com\fR.
 Multiple
 \fBSUDOERS_BASE\fR
 lines may be specified, in which case they are queried in the order specified.
@@ -997,20 +993,20 @@ when performing a
 LDAP query.
 Typically, this is of the
 form
-\fRattribute=value\fR
+\(oqattribute=value\(cq
 or
-\fR(&(attribute=value)(attribute2=value2))\fR.
+\(oq(&(attribute=value)(attribute2=value2))\(cq.
 The default search filter is:
-\fRobjectClass=sudoRole\fR.
+\(oqobjectClass=sudoRole\(cq.
 If
 \fIldap_filter\fR
 is omitted, no search filter will be used.
 .TP 6n
 \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
 Whether or not to evaluate the
-\fRsudoNotBefore\fR
+\fIsudoNotBefore\fR
 and
-\fRsudoNotAfter\fR
+\fIsudoNotAfter\fR
 attributes that implement time-dependent sudoers entries.
 .TP 6n
 \fBTIMELIMIT\fR \fIseconds\fR
@@ -1062,11 +1058,11 @@ The certificate type depends on the LDAP libraries used.
 .PD 0
 .TP 6n
 OpenLDAP:
-\fRtls_cert /etc/ssl/client_cert.pem\fR
+\(oqtls_cert /etc/ssl/client_cert.pem\(cq
 .PD
 .TP 6n
 Netscape-derived:
-\fRtls_cert /var/ldap/cert7.db\fR
+\(oqtls_cert /var/ldap/cert7.db\(cq
 .TP 6n
 IBM LDAP:
 Unused, the key database specified by
@@ -1106,14 +1102,14 @@ The key type depends on the LDAP libraries used.
 .PD 0
 .TP 6n
 OpenLDAP:
-\fRtls_key /etc/ssl/client_key.pem\fR
+\(oqtls_key /etc/ssl/client_key.pem\(cq
 .PD
 .TP 6n
 Netscape-derived:
-\fRtls_key /var/ldap/key3.db\fR
+\(oqtls_key /var/ldap/key3.db\(cq
 .TP 6n
 IBM LDAP:
-\fRtls_key /usr/ldap/ldapkey.kdb\fR
+\(oqtls_key /usr/ldap/ldapkey.kdb\(cq
 .PP
 When using IBM LDAP libraries, this file may also contain
 Certificate Authority and client certificates and may be encrypted.
@@ -1171,15 +1167,15 @@ The
 must have the same path as the file specified by
 \fBTLS_KEY\fR,
 but use a
-\fR.sth\fR
+\(oq.sth\(cq
 file extension instead of
-\fR.kdb\fR,
+\(oq.kdb\(cq,
-e.g.,
+for example
-\fRldapkey.sth\fR.
+\(oqldapkey.sth\(cq.
 The default
-\fRldapkey.kdb\fR
+\(oqldapkey.kdb\(cq
 that ships with the IBM Tivoli Directory Server is encrypted with the password
-\fRssl_password\fR.
+\(oqssl_password\(cq.
 The
 \fIgsk8capicmd\fR
 utility can be used to manage the key database and create a
@@ -1251,9 +1247,9 @@ the latter being for servers that support TLS (SSL) encryption.
 If no
 \fIport\fR
 is specified, the default is port 389 for
-\fRldap://\fR
+\(oqldap://\(cq
 or port 636 for
-\fRldaps://\fR.
+\(oqldaps://\(cq.
 If no
 \fIhostname\fR
 is specified,
@@ -1266,9 +1262,9 @@ lines are treated identically to a
 \fBURI\fR
 line containing multiple entries.
 Only systems using the OpenSSL libraries support the mixing of
-\fRldap://\fR
+\(oqldap://\(cq
 and
-\fRldaps://\fR
+\(oqldaps://\(cq
 URIs.
 Both the Netscape-derived and IBM LDAP libraries used on most commercial
 versions of Unix are only capable of supporting one or the other.
@@ -1297,13 +1293,13 @@ to specify the
 \fIsudoers\fR
 search order.
 Sudo looks for a line beginning with
-\fRsudoers\fR:
+\fIsudoers\fR:
 and uses this to determine the search order.
 By default,
 \fBsudo\fR
 does not stop searching after the first match and later matches take
 precedence over earlier ones (unless
-\fR[SUCCESS=return]\fR
+\(oq[SUCCESS=return]\(cq
 is used, see below).
 The following sources are recognized:
 .PP
@@ -1322,14 +1318,14 @@ read sudoers from LDAP
 In addition, a subset of
 \fInsswitch.conf\fR-style
 action statements is supported, specifically
-\fR[SUCCESS=return]\fR
+\(oq[SUCCESS=return]\(cq
 and
-\fR[NOTFOUND=return]\fR.
+\(oq[NOTFOUND=return]\(cq.
 These will unconditionally terminate the search if the user was either
 found
-(\fR[SUCCESS=return]\fR)
+\(oq[SUCCESS=return]\(cq
 or not found
-(\fR[NOTFOUND=return]\fR)
+\(oq[NOTFOUND=return]\(cq
 in the immediately preceding source.
 Other action statements tokens are not supported, nor is test
 negation with
@@ -1420,11 +1416,11 @@ sudoers = ldap = auth, files
 .fi
 .PP
 In the above example, the
-\fRauth\fR
+\fIauth\fR
 qualifier only affects user lookups; both LDAP and
 \fIsudoers\fR
 will be queried for
-\fRDefaults\fR
+\fIDefaults\fR
 entries.
 .PP
 If the
@@ -1449,9 +1445,9 @@ rules.
 To use SSSD as the
 \fIsudoers\fR
 source, you should use
-\fRsss\fR
+\fIsss\fR
 instead of
-\fRldap\fR
+\fIldap\fR
 for the sudoers entry in
 \fI@nsswitch_conf@\fR.
 The
@@ -1595,7 +1591,7 @@ Simply copy
 it to the schema directory (e.g.,
 \fI/etc/openldap/schema\fR),
 add the proper
-\fRinclude\fR
+\fIinclude\fR
 line in
 \fIslapd.conf\fR
 and restart
--- a/docs/sudoers.ldap.mdoc.in
+++ b/docs/sudoers.ldap.mdoc.in
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd July 25, 2022
+.Dd September 13, 2022
 .Dt SUDOERS.LDAP @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -67,16 +67,16 @@ is no need for a specialized tool to check syntax.
 The
 .Em sudoers
 configuration is contained in the
-.Li ou=SUDOers
+.Ql ou=SUDOers
 LDAP container.
 .Pp
 Sudo first looks for the
-.Li cn=defaults
+.Ql cn=defaults
 entry in the SUDOers container.
 If found, the multi-valued
-.Li sudoOption
+.Em sudoOption
 attribute is parsed in the same manner as a global
-.Li Defaults
+.Em Defaults
 line in
 .Pa @sysconfdir@/sudoers .
 In the following example, the
@@ -92,7 +92,7 @@ sudoOption: env_keep+=SSH_AUTH_SOCK
 .Ed
 .Pp
 The equivalent of a sudoer in LDAP is a
-.Li sudoRole .
+.Em sudoRole .
 It consists of the following attributes:
 .Bl -tag -width 4n
 .It Sy sudoUser
@@ -115,35 +115,35 @@ Non-Unix group support is only available when an appropriate
 .Em group_plugin
 is defined in the global
 .Em defaults
-.Li sudoRole
+.Em sudoRole
 object.
 If a
-.Li sudoUser
+.Em sudoUser
 entry is preceded by an exclamation point,
 .Ql \&! ,
 and the entry matches, the
-.Li sudoRole
+.Em sudoRole
 in which it resides will be ignored.
 Negated
-.Li sudoUser
+.Em sudoUser
 entries are only supported by version 1.9.9 or higher.
 .It Sy sudoHost
 A host name, IP address, IP network, or host netgroup (prefixed with a
 .Ql + ) .
 The special value
-.Li ALL
+.Sy ALL
 will match any host.
 Host netgroups are matched using the host (both qualified and unqualified)
 and domain members only; the user member is not used when matching.
 If a
-.Li sudoHost
+.Em sudoHost
 entry is preceded by an exclamation point,
 .Ql \&! ,
 and the entry matches, the
-.Li sudoRole
+.Em sudoRole
 in which it resides will be ignored.
 Negated
-.Li sudoHost
+.Em sudoHost
 entries are only supported by version 1.8.18 or higher.
 .It Sy sudoCommand
 A fully-qualified Unix command name with optional command line arguments,
@@ -153,7 +153,7 @@ If a command name is preceded by an exclamation point,
 the user will be prohibited from running that command.
 .Pp
 The built-in command
-.Dq Li sudoedit
+.Dq sudoedit
 is used to permit a user to run
 .Nm sudo
 with the
@@ -162,13 +162,13 @@ option (or as
 .Nm sudoedit ) .
 It may take command line arguments just as a normal command does.
 Unlike other commands,
-.Dq Li sudoedit
+.Dq sudoedit
 is a built into
 .Nm sudo
 itself and must be specified in without a leading path.
 .Pp
 The special value
-.Li ALL
+.Sy ALL
 will match any command.
 .Pp
 If a command name is prefixed with a SHA-2 digest, it will
@@ -192,7 +192,7 @@ Command digests are only supported by version 1.8.7 or higher.
 .It Sy sudoOption
 Identical in function to the global options described above, but
 specific to the
-.Li sudoRole
+.Em sudoRole
 in which it resides.
 .It Sy sudoRunAsUser
 A user name or user-ID (prefixed with
@@ -203,30 +203,29 @@ or user netgroup (prefixed with a
 .Ql + )
 that contains a list of users that commands may be run as.
 The special value
-.Li ALL
+.Sy ALL
 will match any user.
 If a
-.Li sudoRunAsUser
+.Em sudoRunAsUser
 entry is preceded by an exclamation point,
 .Ql \&! ,
 and the entry matches, the
-.Li sudoRole
+.Em sudoRole
 in which it resides will be ignored.
 If
-.Li sudoRunAsUser
+.Em sudoRunAsUser
 is specified but empty, it will match the invoking user.
 If neither
-.Li sudoRunAsUser
+.Em sudoRunAsUser
 nor
-.Li sudoRunAsGroup
+.Em sudoRunAsGroup
 are present, the value of the
 .Em runas_default
-.Li sudoOption
+.Em sudoOption
-is used (defaults to
+is used (defaults to @runas_default@).
 .Li @runas_default@ ) .
 .Pp
 The
-.Li sudoRunAsUser
+.Em sudoRunAsUser
 attribute is only available in
 .Nm sudo
 versions
@@ -234,43 +233,43 @@ versions
 Older versions of
 .Nm sudo
 use the
-.Li sudoRunAs
+.Em sudoRunAs
 attribute instead.
 Negated
-.Li sudoRunAsUser
+.Em sudoRunAsUser
 entries are only supported by version 1.8.26 or higher.
 .It Sy sudoRunAsGroup
 A Unix group or group-ID (prefixed with
 .Ql # )
 that commands may be run as.
 The special value
-.Li ALL
+.Sy ALL
 will match any group.
 If a
-.Li sudoRunAsGroup
+.Em sudoRunAsGroup
 entry is preceded by an exclamation point,
 .Ql \&! ,
 and the entry matches, the
-.Li sudoRole
+.Em sudoRole
 in which it resides will be ignored.
 .Pp
 The
-.Li sudoRunAsGroup
+.Em sudoRunAsGroup
 attribute is only available in
 .Nm sudo
 versions
 1.7.0 and higher.
 Negated
-.Li sudoRunAsGroup
+.Em sudoRunAsGroup
 entries are only supported by version 1.8.26 or higher.
 .It Sy sudoNotBefore
 A timestamp in the form
-.Li yyyymmddHHMMSSZ
+.Ql yyyymmddHHMMSSZ
 that can be used to provide a start date/time for when the
-.Li sudoRole
+.Em sudoRole
 will be valid.
 If multiple
-.Li sudoNotBefore
+.Em sudoNotBefore
 entries are present, the earliest is used.
 Timestamps must be in Coordinated Universal Time (UTC),
 not the local timezone.
@@ -278,7 +277,7 @@ The minute and seconds portions are optional, but some LDAP servers
 require that they be present (contrary to the RFC).
 .Pp
 The
-.Li sudoNotBefore
+.Em sudoNotBefore
 attribute is only available in
 .Nm sudo
 versions 1.7.5 and higher and must be explicitly enabled via the
@@ -287,12 +286,12 @@ option in
 .Pa @ldap_conf@ .
 .It Sy sudoNotAfter
 A timestamp in the form
-.Li yyyymmddHHMMSSZ
+.Ql yyyymmddHHMMSSZ
 that indicates an expiration date/time, after which the
-.Li sudoRole
+.Em sudoRole
 will no longer be valid.
 If multiple
-.Li sudoNotAfter
+.Em sudoNotAfter
 entries are present, the last one is used.
 Timestamps must be in Coordinated Universal Time (UTC),
 not the local timezone.
@@ -300,7 +299,7 @@ The minute and seconds portions are optional, but some LDAP servers
 require that they be present (contrary to the RFC).
 .Pp
 The
-.Li sudoNotAfter
+.Em sudoNotAfter
 attribute is only available in
 .Nm sudo
 versions
@@ -310,26 +309,26 @@ option in
 .Pa @ldap_conf@ .
 .It Sy sudoOrder
 The
-.Li sudoRole
+.Em sudoRole
 entries retrieved from the LDAP directory have no inherent order.
 The
-.Li sudoOrder
+.Em sudoOrder
 attribute is an integer (or floating point value for LDAP servers
 that support it) that is used to sort the matching entries.
 This allows LDAP-based sudoers entries to more closely mimic the behavior
 of the sudoers file, where the order of the entries influences the result.
 If multiple entries match, the entry with the highest
-.Li sudoOrder
+.Em sudoOrder
 attribute is chosen.
 This corresponds to the
 .Dq last match
 behavior of the sudoers file.
 If the
-.Li sudoOrder
+.Em sudoOrder
 attribute is not present, a value of 0 is assumed.
 .Pp
 The
-.Li sudoOrder
+.Em sudoOrder
 attribute is only available in
 .Nm sudo
 versions 1.7.5 and higher.
@@ -338,12 +337,12 @@ versions 1.7.5 and higher.
 Each attribute listed above should contain a single value, but there
 may be multiple instances of each attribute type.
 A
-.Li sudoRole
+.Em sudoRole
 must contain at least one
-.Li sudoUser ,
+.Em sudoUser ,
-.Li sudoHost ,
+.Em sudoHost ,
 and
-.Li sudoCommand .
+.Em sudoCommand .
 .Pp
 The following example allows users in group wheel to run any command
 on any host via
@@ -364,7 +363,7 @@ The first query is to parse the global options.
 The second is to match against the user's name and the groups that
 the user belongs to.
 (The special
-.Li ALL
+.Sy ALL
 tag is matched in this query too.)
 If no match is returned for the user's name and groups, a third
 query returns all entries containing user netgroups and other
@@ -391,12 +390,12 @@ are as follows:
 .Bl -enum
 .It
 Match all
-.Li nisNetgroup
+.Em nisNetgroup
 records with a
-.Li nisNetgroupTriple
+.Em nisNetgroupTriple
 containing the user, host, and NIS domain.
 The query will match
-.Li nisNetgroupTriple
+.Em nisNetgroupTriple
 entries with either the short or long form of the host name or
 no host name specified in the tuple.
 If the NIS domain is set, the query will match only match entries
@@ -405,12 +404,12 @@ If the NIS domain is
 .Em not
 set, a wildcard is used to match any domain name but be aware that the
 NIS schema used by some LDAP servers may not support wild cards for
-.Li nisNetgroupTriple .
+.Em nisNetgroupTriple .
 .It
 Repeated queries are performed to find any nested
-.Li nisNetgroup
+.Em nisNetgroup
 records with a
-.Li memberNisNetgroup
+.Em memberNisNetgroup
 entry that refers to an already-matched record.
 .El
 .Pp
@@ -445,7 +444,7 @@ returned in any specific order.
 .Pp
 The order in which different entries are applied can be controlled
 using the
-.Li sudoOrder
+.Em sudoOrder
 attribute, but there is no way to guarantee the order of attributes
 within a specific entry.
 If there are conflicting command rules in an entry, the negative
@@ -496,18 +495,18 @@ These cannot be converted automatically.
 For example, a Cmnd_Alias in a
 .Em sudoers
 file may be converted to a
-.Li sudoRole
+.Em sudoRole
 that contains multiple commands.
 Multiple users and/or groups may be assigned to the
-.Li sudoRole .
+.Em sudoRole .
 .Pp
 Also, host, user, runas, and command-based
-.Li Defaults
+.Em Defaults
 entries are not supported.
 However, a
-.Li sudoRole
+.Em sudoRole
 may contain one or more
-.Li sudoOption
+.Em sudoOption
 attributes which can often serve the same purpose.
 .Pp
 Consider the following
@@ -561,7 +560,7 @@ Using a Unix group or netgroup in PAGERS rather than listing each
 user would make this easier to maintain.
 .Pp
 Per-user
-.Li Defaults
+.Em Defaults
 entries can be emulated by using one or more sudoOption attributes
 in a sudoRole.
 Consider the following
@@ -602,7 +601,7 @@ LDAP support, the
 schema must be
 installed on your LDAP server.
 In addition, be sure to index the
-.Li sudoUser
+.Em sudoUser
 attribute.
 .Pp
 The
@@ -748,31 +747,30 @@ The default value is protocol version 3.
 .It Sy NETGROUP_BASE Ar base
 The base DN to use when performing LDAP netgroup queries.
 Typically this is of the form
-.Li ou=netgroup,dc=my-domain,dc=com
+.Ql ou=netgroup,dc=my-domain,dc=com
-for the domain
+for the domain my-domain.com.
 .Li my-domain.com .
 Multiple
 .Sy NETGROUP_BASE
 lines may be specified, in which case they are queried in the order specified.
 .Pp
 This option can be used to query a user's netgroups directly via LDAP
 which is usually faster than fetching every
-.Li sudoRole
+.Em sudoRole
 object containing a
-.Li sudoUser
+.Em sudoUser
 that begins with a
 .Ql +
 prefix.
 The NIS schema used by some LDAP servers need a modification to
 support querying the
-.Li nisNetgroup
+.Em nisNetgroup
 object by its
-.Li nisNetgroupTriple
+.Em nisNetgroupTriple
 member.
 OpenLDAP's
 .Sy slapd
 requires the following change to the
-.Li nisNetgroupTriple
+.Em nisNetgroupTriple
 attribute:
 .Bd -literal -offset 4n
 attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
@@ -784,13 +782,12 @@ attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
 .It Sy NETGROUP_SEARCH_FILTER Ar ldap_filter
 An LDAP filter which is used to restrict the set of records returned
 when performing an LDAP netgroup query.
-Typically, this is of the
+Typically, this is of the form
-form
+.Ql attribute=value
 .Li attribute=value
 or
-.Li (&(attribute=value)(attribute2=value2)) .
+.Ql (&(attribute=value)(attribute2=value2)) .
 The default search filter is:
-.Li objectClass=nisNetgroup .
+.Ql objectClass=nisNetgroup .
 If
 .Ar ldap_filter
 is omitted, no search filter will be used.
@@ -867,17 +864,17 @@ This option is only relevant when using SASL authentication.
 If the
 .Sy SSL
 parameter is set to
-.Li on ,
+.Em on ,
-.Li true ,
+.Em true ,
 or
-.Li yes
+.Em yes
 TLS (SSL) encryption is always used when communicating with the LDAP server.
 Typically, this involves connecting to the server on port 636 (ldaps).
 .It Sy SSL Ar start_tls
 If the
 .Sy SSL
 parameter is set to
-.Li start_tls ,
+.Em start_tls ,
 the LDAP server connection is initiated normally and TLS encryption is
 begun before the bind credentials are sent.
 This has the advantage of not requiring a dedicated port for encrypted
@@ -890,9 +887,8 @@ The base DN to use when performing
 .Nm sudo
 LDAP queries.
 Typically this is of the form
-.Li ou=SUDOers,dc=my-domain,dc=com
+.Ql ou=SUDOers,dc=my-domain,dc=com
-for the domain
+for the domain my-domain.com.
 .Li my-domain.com .
 Multiple
 .Sy SUDOERS_BASE
 lines may be specified, in which case they are queried in the order specified.
@@ -932,19 +928,19 @@ when performing a
 LDAP query.
 Typically, this is of the
 form
-.Li attribute=value
+.Ql attribute=value
 or
-.Li (&(attribute=value)(attribute2=value2)) .
+.Ql (&(attribute=value)(attribute2=value2)) .
 The default search filter is:
-.Li objectClass=sudoRole .
+.Ql objectClass=sudoRole .
 If
 .Ar ldap_filter
 is omitted, no search filter will be used.
 .It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
 Whether or not to evaluate the
-.Li sudoNotBefore
+.Em sudoNotBefore
 and
-.Li sudoNotAfter
+.Em sudoNotAfter
 attributes that implement time-dependent sudoers entries.
 .It Sy TIMELIMIT Ar seconds
 The
@@ -987,9 +983,9 @@ be used to authenticate the client to the LDAP server.
 The certificate type depends on the LDAP libraries used.
 .Bl -tag -width 4n
 .It OpenLDAP:
-.Li tls_cert /etc/ssl/client_cert.pem
+.Ql tls_cert /etc/ssl/client_cert.pem
 .It Netscape-derived:
-.Li tls_cert /var/ldap/cert7.db
+.Ql tls_cert /var/ldap/cert7.db
 .It IBM LDAP:
 Unused, the key database specified by
 .Sy TLS_KEY
@@ -1023,11 +1019,11 @@ The private key must not be password-protected.
 The key type depends on the LDAP libraries used.
 .Bl -tag -width 4n
 .It OpenLDAP:
-.Li tls_key /etc/ssl/client_key.pem
+.Ql tls_key /etc/ssl/client_key.pem
 .It Netscape-derived:
-.Li tls_key /var/ldap/key3.db
+.Ql tls_key /var/ldap/key3.db
 .It IBM LDAP:
-.Li tls_key /usr/ldap/ldapkey.kdb
+.Ql tls_key /usr/ldap/ldapkey.kdb
 .El
 .Pp
 When using IBM LDAP libraries, this file may also contain
@@ -1079,15 +1075,15 @@ The
 must have the same path as the file specified by
 .Sy TLS_KEY ,
 but use a
-.Li .sth
+.Ql .sth
 file extension instead of
-.Li .kdb ,
+.Ql .kdb ,
-e.g.,
+for example
-.Li ldapkey.sth .
+.Ql ldapkey.sth .
 The default
-.Li ldapkey.kdb
+.Ql ldapkey.kdb
 that ships with the IBM Tivoli Directory Server is encrypted with the password
-.Li ssl_password .
+.Ql ssl_password .
 The
 .Em gsk8capicmd
 utility can be used to manage the key database and create a
@@ -1149,9 +1145,9 @@ the latter being for servers that support TLS (SSL) encryption.
 If no
 .Em port
 is specified, the default is port 389 for
-.Li ldap://
+.Ql ldap://
 or port 636 for
-.Li ldaps:// .
+.Ql ldaps:// .
 If no
 .Em hostname
 is specified,
@@ -1164,9 +1160,9 @@ lines are treated identically to a
 .Sy URI
 line containing multiple entries.
 Only systems using the OpenSSL libraries support the mixing of
-.Li ldap://
+.Ql ldap://
 and
-.Li ldaps://
+.Ql ldaps://
 URIs.
 Both the Netscape-derived and IBM LDAP libraries used on most commercial
 versions of Unix are only capable of supporting one or the other.
@@ -1194,13 +1190,13 @@ to specify the
 .Em sudoers
 search order.
 Sudo looks for a line beginning with
-.Li sudoers :
+.Em sudoers :
 and uses this to determine the search order.
 By default,
 .Nm sudo
 does not stop searching after the first match and later matches take
 precedence over earlier ones (unless
-.Li [SUCCESS=return]
+.Ql [SUCCESS=return]
 is used, see below).
 The following sources are recognized:
 .Pp
@@ -1215,14 +1211,14 @@ read sudoers from LDAP
 In addition, a subset of
 .Pa nsswitch.conf Ns -style
 action statements is supported, specifically
-.Li [SUCCESS=return]
+.Ql [SUCCESS=return]
 and
-.Li [NOTFOUND=return] .
+.Ql [NOTFOUND=return] .
 These will unconditionally terminate the search if the user was either
 found
-.Pq Li [SUCCESS=return]
+.Ql [SUCCESS=return]
 or not found
-.Pq Li [NOTFOUND=return]
+.Ql [NOTFOUND=return]
 in the immediately preceding source.
 Other action statements tokens are not supported, nor is test
 negation with
@@ -1292,11 +1288,11 @@ sudoers = ldap = auth, files
 .Ed
 .Pp
 In the above example, the
-.Li auth
+.Em auth
 qualifier only affects user lookups; both LDAP and
 .Em sudoers
 will be queried for
-.Li Defaults
+.Em Defaults
 entries.
 .Pp
 If the
@@ -1318,9 +1314,9 @@ rules.
 To use SSSD as the
 .Em sudoers
 source, you should use
-.Li sss
+.Em sss
 instead of
-.Li ldap
+.Em ldap
 for the sudoers entry in
 .Pa @nsswitch_conf@ .
 The
@@ -1461,7 +1457,7 @@ Simply copy
 it to the schema directory (e.g.,
 .Pa /etc/openldap/schema ) ,
 add the proper
-.Li include
+.Em include
 line in
 .Pa slapd.conf
 and restart
--- a/docs/sudoers.man.in
+++ b/docs/sudoers.man.in
--- a/docs/sudoers.mdoc.in
+++ b/docs/sudoers.mdoc.in
--- a/docs/sudoers_timestamp.man.in
+++ b/docs/sudoers_timestamp.man.in
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDOERS_TIMESTAMP" "@mansectform@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS_TIMESTAMP" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -29,7 +29,7 @@ plugin uses per-user time stamp files for credential caching.
 Once a user has been authenticated, they may use
 \fBsudo\fR
 without a password for a short period of time
-(\fR@timeout@\fR
+(\fI@timeout@\fR
 minutes unless overridden by the
 \fItimestamp_timeout\fR
 option)
--- a/docs/sudoers_timestamp.mdoc.in
+++ b/docs/sudoers_timestamp.mdoc.in
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd February 16, 2022
+.Dd September 13, 2022
 .Dt SUDOERS_TIMESTAMP @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -29,7 +29,7 @@ Once a user has been authenticated, they may use
 .Nm sudo
 without a password for a short period of time
 .Po
-.Li @timeout@
+.Em @timeout@
 minutes unless overridden by the
 .Em timestamp_timeout
 option
@@ -94,19 +94,19 @@ same file but are not inter-operable.
 The size of the record in bytes.
 .It type
 The record type, currently
-.Li TS_GLOBAL ,
+.Dv TS_GLOBAL ,
-.Li TS_TTY ,
+.Dv TS_TTY ,
 or
-.Li TS_PPID .
+.Dv TS_PPID .
 .It flags
 Zero or more record flags which can be bit-wise ORed together.
 Supported flags are
-.Li TS_DISABLED ,
+.Dv TS_DISABLED ,
 for records disabled via
 .Nm sudo
 .Fl k
 and
-.Li TS_ANYUID ,
+.Dv TS_ANYUID ,
 which is used only when matching records.
 .It auth_uid
 The user-ID that was used for authentication.
@@ -120,12 +120,12 @@ the default runas user or the target user.
 .It sid
 The ID of the user's terminal session, if present.
 The session ID is only used when matching records of type
-.Li TS_TTY .
+.Dv TS_TTY .
 .It start_time
 The start time of the session leader for records of type
-.Li TS_TTY
+.Dv TS_TTY
 or of the parent process for records of type
-.Li TS_PPID .
+.Dv TS_PPID .
 The
 .Em start_time
 is used to help prevent re-use of a time stamp record after a
@@ -157,10 +157,10 @@ option, no password is required.
 .It u.ttydev
 The device number of the terminal associated with the session for
 records of type
-.Li TS_TTY .
+.Dv TS_TTY .
 .It u.ppid
 The ID of the parent process for records of type
-.Li TS_PPID .
+.Dv TS_PPID .
 .El
 .Sh LOCKING
 In
@@ -174,7 +174,7 @@ of the entire file and the lock is held for a longer period of time.
 This scheme is described below.
 .Pp
 The first record in the time stamp file is of type
-.Li TS_LOCKEXCL
+.Dv TS_LOCKEXCL
 and is used as a
 .Em lock
 record to prevent more than one
@@ -182,7 +182,7 @@ record to prevent more than one
 process from adding a new record at the same time.
 Once the desired time stamp record has been located or created (and
 locked), the
-.Li TS_LOCKEXCL
+.Dv TS_LOCKEXCL
 record is unlocked.
 The lock on the individual time stamp record, however, is held until
 authentication is complete.
@@ -192,7 +192,7 @@ to avoid prompting for a password multiple times when it
 is used more than once in a pipeline.
 .Pp
 Records of type
-.Li TS_GLOBAL
+.Dv TS_GLOBAL
 cannot be locked for a long period of time since doing so would
 interfere with other
 .Nm sudo
--- a/docs/sudoreplay.man.in
+++ b/docs/sudoreplay.man.in
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDOREPLAY" "@mansectsu@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDOREPLAY" "@mansectsu@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -50,7 +50,7 @@ The
 \fIID\fR
 should either be a six character sequence of digits and
 upper case letters, e.g.,
-\fR0100A5\fR
+\(lq0100A5\(rq
 or a path name.
 The
 \fIID\fR
@@ -76,8 +76,10 @@ with
 enabled in the
 \fIsudoers\fR
 file, a
-\fRTSID=ID\fR
+\(lqTSID=ID\(rq
-string is logged via syslog or to the
+string is logged via
 syslog(3)
 or to the
 \fBsudo\fR
 log file.
 The
@@ -400,7 +402,7 @@ This will be addressed in a future version of
 \fBsudoreplay\fR
 versions 1.8.4 and higher support a flexible debugging framework
 that is configured via
-\fRDebug\fR
+\fIDebug\fR
 lines in the
 sudo.conf(@mansectform@)
 file.
--- a/docs/sudoreplay.mdoc.in
+++ b/docs/sudoreplay.mdoc.in
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd February 16, 2022
+.Dd September 13, 2022
 .Dt SUDOREPLAY @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -48,7 +48,7 @@ The
 .Em ID
 should either be a six character sequence of digits and
 upper case letters, e.g.,
-.Li 0100A5
+.Dq 0100A5
 or a path name.
 The
 .Em ID
@@ -74,8 +74,10 @@ with
 enabled in the
 .Em sudoers
 file, a
-.Li TSID=ID
+.Dq TSID=ID
-string is logged via syslog or to the
+string is logged via
 .Xr syslog 3
 or to the
 .Nm sudo
 log file.
 The
@@ -363,7 +365,7 @@ This will be addressed in a future version of
 .Nm
 versions 1.8.4 and higher support a flexible debugging framework
 that is configured via
-.Li Debug
+.Em Debug
 lines in the
 .Xr sudo.conf @mansectform@
 file.
--- a/docs/visudo.man.in
+++ b/docs/visudo.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "VISUDO" "@mansectsu@" "April 23, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "VISUDO" "@mansectsu@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -289,7 +289,7 @@ include file for syntax errors.
 \fBvisudo\fR
 versions 1.8.4 and higher support a flexible debugging framework
 that is configured via
-\fRDebug\fR
+\fIDebug\fR
 lines in the
 sudo.conf(@mansectform@)
 file.
@@ -450,7 +450,7 @@ file.
 The
 \fIsudoers\fR
 file contains a
-\fRDefaults\fR
+\fIDefaults\fR
 setting not recognized by
 \fBvisudo\fR.
 .SH "SEE ALSO"
--- a/docs/visudo.mdoc.in
+++ b/docs/visudo.mdoc.in
@@ -20,7 +20,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd April 23, 2022
+.Dd September 13, 2022
 .Dt VISUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -281,7 +281,7 @@ include file for syntax errors.
 .Nm
 versions 1.8.4 and higher support a flexible debugging framework
 that is configured via
-.Li Debug
+.Em Debug
 lines in the
 .Xr sudo.conf @mansectform@
 file.
@@ -430,7 +430,7 @@ file.
 The
 .Em sudoers
 file contains a
-.Li Defaults
+.Em Defaults
 setting not recognized by
 .Nm .
 .El