1.6.2p1

9 files changed, 212 insertions, 81 deletions

diff --git a/usr.bin/sudo/CHANGES b/usr.bin/sudo/CHANGES
index 4ac334d196a..f2d9cc266e8 100644
--- a/usr.bin/sudo/CHANGES
+++ b/usr.bin/sudo/CHANGES
@@ -1242,3 +1242,10 @@ Sudo 1.6.1 released.
 
 392) PAM fixups: custom prompts now work correctly and errors are
      dealt with more sanely.  Patches from Cloyce D. Spradling.
+
+Sudo 1.6.2 released.
+
+393) Users in the 'exempt' group shouldn't get their $PATH overridden
+     by 'secure-path'.  Patch from jmknoble@pobox.com.
+
+394) Pam now works on HP-UX 11.0, thanks to Jeff A. Earickson.
diff --git a/usr.bin/sudo/INSTALL b/usr.bin/sudo/INSTALL
index 37f709ae906..20a1c59da55 100644
--- a/usr.bin/sudo/INSTALL
+++ b/usr.bin/sudo/INSTALL
@@ -159,11 +159,17 @@ Special features/options:
 	on the machine.
 
   --with-pam
-	Enable PAM support.  Tested on Redhat Linux 5.x, 6.0 and
-	Solaris 2.6, 7.
-	NOTE: on RedHat Linux (and perhaps others) you *must* install
-	an /etc/pam.d/sudo file.  You may either use the sample.pam
-	file included with sudo or use /etc/pam.d/su as a reference.
+	Enable PAM support.  Tested on:
+	    Redhat Linux 5.x, 6.0, and 6.1
+	    Solaris 2.6 and 7
+	    HP-UX 11.0
+        NOTE: on RedHat Linux you *must* install an /etc/pam.d/sudo file.
+	You may either use the sample.pam file included with sudo or use
+	/etc/pam.d/su as a reference.  On Solaris and HP-UX 11 systems
+	you should check (and understand) the contents of /etc/pam.conf.
+	Do a "man pam.conf" for more information and consider using the
+	"debug" option, if available, with your PAM libraries in
+	/etc/pam.conf to obtain syslog output for debugging purposes.
 
   --with-AFS
 	Enable AFS support with kerberos authentication.  Should work under
@@ -171,8 +177,14 @@ Special features/options:
 	link without it.
 
   --with-DCE
-	Enable DCE support.  Known to work on HP-UX 9.X and 10.0.  Other
-	platforms may require source code and/or `configure' changes.
+	Enable DCE support.  Known to work on HP-UX 9.X, 10.X, and 11.0.
+	The use of PAM is recommended for HP-UX 11.X systems, since PAM is
+	fully implemented (this is not true for 10.20 and earlier versions).
+	Check to see that your 11.X (or other) system uses DCE via PAM by
+	looking at /etc/pam.conf to see if "libpam_dce" libraries are 
+	referenced there.  Other platforms may require source code and/or 
+	`configure' changes; you should check to see if your platform can 
+	access DCE via PAM before using this option.
 
   --disable-sia
 	Disable SIA support.  This is the "Security Integration Architecture"
@@ -228,11 +240,11 @@ Special features/options:
 	security hole as most editors allow a user to get a shell (which would
 	be a root shell and hence, no logging).
 
-The following options are also configurable at runtime:
-
   --with-otp-only
 	This option is now just an alias for --without-passwd.
 
+The following options are also configurable at runtime:
+
   --with-long-otp-prompt
 	When validating with a One Time Password scheme (S/Key or OPIE), a
 	two-line prompt is used to make it easier to cut and paste the
@@ -286,7 +298,7 @@ The following options are also configurable at runtime:
 	Default is "*** SECURITY information for %h ***".
 
   --without-mail-if-no-user
-	Normally, sudo will mail to the "alermail" user if the user invoking
+	Normally, sudo will mail to the "alertmail" user if the user invoking
 	sudo is not in the sudoers file.  This option disables that behavior.
 
   --with-mail-if-no-host
@@ -357,8 +369,8 @@ The following options are also configurable at runtime:
 	The default is 5, set this to 0 for no password timeout.
 
   --with-tty-tickets
-	This makes sudo use a different ticket file for each tty (per user).
-	Ie: instead of the ticket file being "username" it is "username:tty".
+	This makes sudo use a different ticket file for each user/tty combo.
+	Ie: instead of the ticket path being "username" it is "username/tty".
 	This is useful for "shared" accounts like "operator".  Note that this
 	means that there will be more files in the timestamp dir.  This is not
 	a problem if your system has a cron job to remove of files from /tmp
diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in
index fea49bbe89c..3795d0da53e 100644
--- a/usr.bin/sudo/Makefile.in
+++ b/usr.bin/sudo/Makefile.in
@@ -34,7 +34,7 @@
 #
 # @configure_input@
 #
-# $Sudo: Makefile.in,v 1.193 2000/01/17 23:46:24 millert Exp $
+# $Sudo: Makefile.in,v 1.194 2000/01/24 15:48:46 millert Exp $
 #
 
 #### Start of system configuration section. ####
@@ -148,7 +148,7 @@ DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES FAQ HISTORY INSTALL INSTALL.configure \
 	    sample.sudoers sudo.cat sudo.man sudo.pod sudoers sudoers.cat \
 	    sudoers.man sudoers.pod visudo.cat visudo.man visudo.pod auth/API
 
-BINFILES= BUGS CHANGES FAQ HISTORY LICENSE README TODO TROUBLESHOOTING \
+BINFILES= BUGS CHANGES HISTORY LICENSE README TODO TROUBLESHOOTING \
 	  UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \
 	  sudo sudo.cat sudo.man sudo.pod sudoers sudoers.cat sudoers.man \
 	  sudoers.pod visudo visudo.cat visudo.man visudo.pod
@@ -342,6 +342,7 @@ bindist:
 	      cp ../../$(srcdir)/$$i . ; \
 	    fi ; \
 	  done ; \
+	  ln -s TROUBLESHOOTING FAQ ; \
 	  for i in $(BINSPECIAL) ; do \
 	    if [ -f ../../$$i ]; then \
 	      cp ../../$$i `basename $$i .binary` ; \
diff --git a/usr.bin/sudo/RUNSON b/usr.bin/sudo/RUNSON
index c3ffa3e8f16..15284a3c6a9 100644
--- a/usr.bin/sudo/RUNSON
+++ b/usr.bin/sudo/RUNSON
@@ -38,7 +38,8 @@ HP-UX	10.20	hp700	bundled cc	1.6.2	Todd Miller	 none
 HP-UX	10.20	PA-RISC2.0 bundled cc	1.5.4	Leon von Stauber none
 HP-UX	11.00	hp700	ansi-c		1.5.5b1	Alek Komarnitsky --with-C2
 HP-UX	11.00	hp700	bundled cc	1.5.5p5	Lynn Osburn	 none
-HP-UX	10.20	hp700	gcc 2.8.1	1.5.6b2	Jeff Earickson 	 --with-DCE
+HP-UX	11.00	hp700	HP C compiler	1.6.2	Jeff Earickson 	 --with-pam
+HP-UX	10.20	hp700	gcc 2.95.2	1.6.2	Jeff Earickson 	 --with-DCE
 Ultrix	4.3	mips	bundled cc	1.6.2	Todd Miller	 none
 Ultrix	4.3	mips	gcc2.7.2.1	1.5.9	Todd Miller	 --with-skey
 IRIX	4.05H	mips	gcc2.6.3	1.5.3	Todd Miller	 none
diff --git a/usr.bin/sudo/configure b/usr.bin/sudo/configure
index 876186a6875..438e0cd795e 100644
--- a/usr.bin/sudo/configure
+++ b/usr.bin/sudo/configure
@@ -7630,6 +7630,44 @@ EOF
     AUTH_OBJS="${AUTH_OBJS} kerb5.o"
 fi
 
+if test "$with_pam" = "yes"; then
+    echo $ac_n "checking for -ldl""... $ac_c" 1>&6
+echo "configure:7636: checking for -ldl" >&5
+if eval "test \"`echo '$''{'ac_cv_lib_dl'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldl  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 7643 "configure"
+#include "confdefs.h"
+
+int main() {
+main()
+; return 0; }
+EOF
+if { (eval echo configure:7650: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+  rm -rf conftest*
+  ac_cv_lib_dl=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_lib_dl=no
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+echo "$ac_t""$ac_cv_lib_dl" 1>&6
+if test "$ac_cv_lib_dl" = yes; then
+  SUDO_LIBS="${SUDO_LIBS} -ldl -lpam"
+else
+  SUDO_LIBS="${SUDO_LIBS} -lpam"
+fi
+
+fi
+
 if test "$with_kerb4" = "yes"; then
     cat >> confdefs.h <<\EOF
 #define HAVE_KERB4 1
@@ -7658,21 +7696,21 @@ EOF
     fi
 
     echo $ac_n "checking for -ldes""... $ac_c" 1>&6
-echo "configure:7662: checking for -ldes" >&5
+echo "configure:7700: checking for -ldes" >&5
 if eval "test \"`echo '$''{'ac_cv_lib_des'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   ac_save_LIBS="$LIBS"
 LIBS="-ldes  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 7669 "configure"
+#line 7707 "configure"
 #include "confdefs.h"
 
 int main() {
 main()
 ; return 0; }
 EOF
-if { (eval echo configure:7676: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+if { (eval echo configure:7714: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
   rm -rf conftest*
   ac_cv_lib_des=yes
 else
@@ -7695,10 +7733,6 @@ fi
     AUTH_OBJS="${AUTH_OBJS} kerb4.o"
 fi
 
-if test "$with_pam" = "yes"; then
-    SUDO_LIBS="${SUDO_LIBS} -ldl -lpam"
-fi
-
 if test "$with_AFS" = "yes"; then
 
     # looks like the "standard" place for AFS libs is /usr/afsws/lib
@@ -7795,7 +7829,7 @@ if test "$with_authenticate" = "yes"; then
 fi
 
 echo $ac_n "checking for log file location""... $ac_c" 1>&6
-echo "configure:7799: checking for log file location" >&5
+echo "configure:7833: checking for log file location" >&5
 if test -n "$with_logpath"; then
     echo "$ac_t""$with_logpath" 1>&6
     cat >> confdefs.h <<EOF
@@ -7825,7 +7859,7 @@ else
 fi
 
 echo $ac_n "checking for timestamp file location""... $ac_c" 1>&6
-echo "configure:7829: checking for timestamp file location" >&5
+echo "configure:7863: checking for timestamp file location" >&5
 if test -n "$with_timedir"; then
     echo "$ac_t""$with_timedir" 1>&6
     cat >> confdefs.h <<EOF
diff --git a/usr.bin/sudo/configure.in b/usr.bin/sudo/configure.in
index 86a446617a1..aab9a996685 100644
--- a/usr.bin/sudo/configure.in
+++ b/usr.bin/sudo/configure.in
@@ -1,6 +1,6 @@
 dnl
 dnl Process this file with GNU autoconf to produce a configure script.
-dnl $Sudo: configure.in,v 1.299 2000/01/19 19:07:24 millert Exp $
+dnl $Sudo: configure.in,v 1.300 2000/01/27 20:01:37 millert Exp $
 dnl
 dnl Copyright (c) 1994-1996,1998-1999 Todd C. Miller <Todd.Miller@courtesan.com>
 dnl
@@ -1433,6 +1433,13 @@ if test "$with_kerb5" = "yes"; then
 fi
 
 dnl
+dnl PAM libs
+dnl
+if test "$with_pam" = "yes"; then
+    AC_HAVE_LIBRARY(dl, SUDO_LIBS="${SUDO_LIBS} -ldl -lpam", SUDO_LIBS="${SUDO_LIBS} -lpam")
+fi
+
+dnl
 dnl Find kerberos 4 includes and libs or complain
 dnl
 if test "$with_kerb4" = "yes"; then
@@ -1464,13 +1471,6 @@ if test "$with_kerb4" = "yes"; then
 fi
 
 dnl
-dnl PAM libs
-dnl
-if test "$with_pam" = "yes"; then
-    SUDO_LIBS="${SUDO_LIBS} -ldl -lpam"
-fi
-
-dnl
 dnl extra AFS libs and includes
 dnl
 if test "$with_AFS" = "yes"; then
diff --git a/usr.bin/sudo/find_path.c b/usr.bin/sudo/find_path.c
index 4d84b4e79dc..1c6c05cc72b 100644
--- a/usr.bin/sudo/find_path.c
+++ b/usr.bin/sudo/find_path.c
@@ -64,7 +64,7 @@ extern int lstat	__P((const char *, struct stat *));
 #endif /* !STDC_HEADERS */
 
 #ifndef lint
-static const char rcsid[] = "$Sudo: find_path.c,v 1.94 1999/10/07 21:20:57 millert Exp $";
+static const char rcsid[] = "$Sudo: find_path.c,v 1.95 2000/01/27 04:31:58 millert Exp $";
 #endif /* lint */
 
 /*
@@ -108,7 +108,7 @@ find_path(infile, outfile)
      * Grab PATH out of the environment (or from the string table
      * if SECURE_PATH is in effect) and make a local copy.
      */
-    if (def_str(I_SECURE_PATH))
+    if (def_str(I_SECURE_PATH) && !user_is_exempt())
 	path = def_str(I_SECURE_PATH);
     else if ((path = getenv("PATH")) == NULL)
 	return(NOT_FOUND);
diff --git a/usr.bin/sudo/sudoers.5 b/usr.bin/sudo/sudoers.5
index be44be9391c..0ba2eebcba8 100644
--- a/usr.bin/sudo/sudoers.5
+++ b/usr.bin/sudo/sudoers.5
@@ -1,12 +1,12 @@
 .rn '' }`
-''' $RCSfile: sudoers.5,v $$Revision: 1.3 $$Date: 2000/01/24 04:22:53 $
+''' $RCSfile: sudoers.5,v $$Revision: 1.4 $$Date: 2000/01/28 01:10:20 $
 '''
 ''' $Log: sudoers.5,v $
-''' Revision 1.3  2000/01/24 04:22:53  millert
-''' sudo 1.6.2
+''' Revision 1.4  2000/01/28 01:10:20  millert
+''' 1.6.2p1
 '''
-''' Revision 1.22  2000/01/24 03:57:49  millert
-''' Add netgroup caveat
+''' Revision 1.23  2000/01/26 21:21:28  millert
+''' Expanded docs on sudoers 'defaults' options based on INSTALL file info.
 '''
 '''
 .de Sh
@@ -99,7 +99,7 @@
 .nr % 0
 .rr F
 .\}
-.TH sudoers 5 "1.6.2" "23/Jan/2000" "FILE FORMATS"
+.TH sudoers 5 "1.6.2" "26/Jan/2000" "FILE FORMATS"
 .UC
 .if n .hy 0
 .if n .na
@@ -379,96 +379,172 @@ be escaped with a backslash (\f(CW\e\fR).
 .PP
 \fBFlags\fR:
 .Ip "long_otp_prompt" 12
-Put \s-1OTP\s0 prompt on its own line
+When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR),
+a two-line prompt is used to make it easier to cut and paste the
+challenge to a local window.  It's not as pretty as the default but
+some people find it more convenient.  This flag is off by default.
 .Ip "ignore_dot" 12
-Ignore \*(L'.\*(R' in \f(CW$PATH\fR
+If set, \fBsudo\fR will ignore \*(L'.\*(R' or \*(L'\*(R' (current dir) in \f(CW$PATH\fR;
+the \f(CW$PATH\fR itself is not modified.  This flag is off by default.
 .Ip "mail_always" 12
-Always send mail when sudo is run
+Send mail to the \fImailto\fR user every time a users runs sudo.
+This flag is off by default.
 .Ip "mail_no_user" 12
-Send mail if the user is not in sudoers
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user is not in the \fIsudoers\fR file.  This flag is on by default.
 .Ip "mail_no_host" 12
-Send mail if the user is not in sudoers for this host
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user exists in the \fIsudoers\fR file, but is not allowed to run
+commands on the current host.  This flag is off by default.
 .Ip "mail_no_perms" 12
-Send mail if the user is not allowed to run a command
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user allowed to use sudo but the command they are trying is not
+listed in their \fIsudoers\fR file entry.  This flag is off by default.
 .Ip "tty_tickets" 12
-Use a separate timestamp for each user/tty combo
+If set, users must authenticate on a per-tty basis.  Normally,
+\fBsudo\fR uses a directory in the ticket dir with the same name as
+the user running it.  With this flag enabled, \fBsudo\fR will use a
+file named for the tty the user is logged in on in that directory.
+This flag is off by default.
 .Ip "lecture" 12
-Lecture user the first time they run sudo
+If set, a user will receive a short lecture the first time he/she
+runs \fBsudo\fR.  This flag is on by default.
 .Ip "authenticate" 12
-Require users to authenticate by default
+If set, users must authenticate themselves via a password (or other
+means of authentication) before they may run commands.  This default
+may be overridden via the \f(CWPASSWD\fR and \f(CWNOPASSWD\fR tags.
+This flag is on by default.
 .Ip "root_sudo" 12
-Root may run sudo
+If set, root is allowed to run sudo too.  Disabling this prevents users
+from \*(L"chaining\*(R" sudo commands to get a root shell by doing something
+like \f(CW"sudo sudo /bin/sh"\fR.
+This flag is on by default.
 .Ip "log_host" 12
-Log the hostname in the (non-syslog) log file
+If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file.
+This flag is off by default.
 .Ip "log_year" 12
-Log the year in the (non-syslog) log file
+If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
+This flag is off by default.
 .Ip "shell_noargs" 12
-If sudo is invoked with no arguments, start a shell
+If set and \fBsudo\fR is invoked with no arguments it acts as if the
+\f(CW-s\fR flag had been given.  That is, it runs a shell as root (the
+shell is determined by the \f(CWSHELL\fR environment variable if it is
+set, falling back on the shell listed in the invoking user's
+/etc/passwd entry if not).  This flag is off by default.
 .Ip "set_home" 12
-Set \f(CW$HOME\fR to the target user when starting a shell with \f(CW-s\fR
+If set and \fBsudo\fR is invoked with the \f(CW-s\fR flag the \f(CWHOME\fR
+environment variable will be set to the home directory of the target
+user (which is root unless the \f(CW-u\fR option is used).  This effectively
+makes the \f(CW-s\fR flag imply \f(CW-H\fR.  This flag is off by default.
 .Ip "path_info" 12
-Allow some information gathering to give useful error messages
+Normally, \fBsudo\fR will tell the user when a command could not be
+found in their \f(CW$PATH\fR.  Some sites may wish to disable this as
+it could be used to gather information on the location of executables
+that the normal user does not have access to.  The disadvantage is
+that if the executable is simply not in the user's \f(CW$PATH\fR, \fBsudo\fR
+will tell the user that they are not allowed to run it, which can
+be confusing.  This flag is off by default.
 .Ip "fqdn" 12
-Require fully-qualified hostnames in the sudoers file
+Set this flag if you want to put fully qualified hostnames in the
+\fIsudoers\fR file.  Ie: instead of myhost you would use myhost.mydomain.edu.
+You may still use the short form if you wish (and even mix the two).
+Beware that turning on \fIfqdn\fR requires sudo to make \s-1DNS\s0 lookups
+which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
+if the machine is not plugged into the network).  Also note that
+you must use the host's official name as \s-1DNS\s0 knows it.  That is,
+you may not use a host alias (\f(CWCNAME\fR entry) due to performance
+issues and the fact that there is no way to get all aliases from
+\s-1DNS\s0.  If your machine's hostname (as returned by the \f(CWhostname\fR
+command) is already fully qualified you shouldn't need to set
+\fIfqfn\fR.  This flag is off by default.
 .Ip "insults" 12
-Insult the user when they enter an incorrect password
+If set, sudo will insult users when they enter an incorrect
+password.  This flag is off by default.
 .Ip "requiretty" 12
-Only allow the user to run sudo if they have a tty
+If set, sudo will only run when the user is logged in to a real
+tty.  This will disallow things like \f(CW"rsh somehost sudo ls"\fR since
+\fIrsh\fR\|(1) does not allocate a tty.  Because it is not possible to turn
+of echo when there is no tty present, some sites may with to set
+this flag to prevent a user from entering a visible password.  This
+flag is off by default.
 .PP
 \fBIntegers\fR:
 .Ip "passwd_tries" 12
-Number of tries to enter a password
+The number of tries a user gets to enter his/her password before
+sudo logs the failure and exits.  The default is 3.
 .PP
 \fBIntegers that can be used in a boolean context\fR:
 .Ip "loglinelen" 12
-Length at which to wrap log file lines (use 0 or negate for no wrap)
+Number of characters per line for the file log.  This value is used
+to decide when to wrap lines for nicer log files.  This has no
+effect on the syslog log file, only the file log.  The default is
+80 (use 0 or negate to disable word wrap).
 .Ip "timestamp_timeout" 12
-Authentication timestamp timeout
+Number of minutes that can elapse before \fBsudo\fR will ask for a passwd
+again.  The default is 5, set this to 0 to always prompt for a password.
 .Ip "passwd_timeout" 12
-Password prompt timeout
+Number of minutes before the sudo password prompt times out.
+The default is 5, set this to 0 for no password timeout.
 .Ip "umask" 12
-Umask to use or 0777 to use user's
+Umask to use when running the root command.  Set this to 0777 to
+not override the user's umask.  The default is 0022.
 .PP
 \fBStrings\fR:
 .Ip "mailsub" 12
-Subject line for mail messages
+Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
+will expand to the hostname of the machine.
+Default is \*(L"*** \s-1SECURITY\s0 information for \f(CW%h\fR ***\*(R".
 .Ip "badpass_message" 12
-Incorrect password message
+Message that is displayed if a user enters an incorrect password.
+The default is \*(L"Sorry, try again.\*(R" unless insults are enabled.
 .Ip "timestampdir" 12
-Path to authentication timestamp dir
+The directory in which \fBsudo\fR stores its timestamp files.
+The default is either \f(CW/var/run/sudo\fR or \f(CW/tmp/sudo\fR.
 .Ip "passprompt" 12
-Default password prompt
+The default prompt to use when asking for a password; can be overridden
+via the \f(CW-p\fR option or the \f(CWSUDO_PROMPT\fR environment variable. Supports
+two escapes: \*(L"%u\*(R" expands to the user's login name and \*(L"%h\*(R" expands
+to the local hostname.  The default value is \*(L"Password:\*(R".
 .Ip "runas_default" 12
-Default user to run commands as
+The default user to run commands as if the \f(CW-u\fR flag is not specified
+on the command line.  This defaults to \*(L"root\*(R".
 .Ip "syslog_goodpri" 12
-Syslog priority to use when user authenticates successfully
+Syslog priority to use when user authenticates successfully.
+Defaults to \*(L"notice\*(R".
 .Ip "syslog_badpri" 12
-Syslog priority to use when user authenticates unsuccessfully
+Syslog priority to use when user authenticates unsuccessfully.
+Defaults to \*(L"alert\*(R".
 .PP
 \fBStrings that can be used in a boolean context\fR:
 .Ip "syslog" 12
-Syslog facility if syslog is being used for logging (negate to disable syslog)
+Syslog facility if syslog is being used for logging (negate to
+disable syslog logging).  Defaults to \*(L"local2\*(R".
 .Ip "mailerpath" 12
-Path to mail program
+Path to mail program used to send warning mail.
+Defaults to the path to sendmail found at configure time.
 .Ip "mailerflags" 12
-Flags for mail program
+Flags to use when invoking mailer. Defaults to \f(CW-t\fR.
 .Ip "mailto" 12
-Address to send mail to
+Address to send warning and erorr mail to.  Defaults to \*(L"root\*(R".
 .Ip "exempt_group" 12
-Users in this group are exempt from password and \s-1PATH\s0 requirements
+Users in this group are exempt from password and \s-1PATH\s0 requirements.
+This is not set by default.
 .Ip "secure_path" 12
-Value to override user's \f(CW$PATH\fR with
+Path used for every command run from \fBsudo\fR.  If you don't trust the
+people running sudo to have a sane \f(CWPATH\fR environment variable you may
+want to use this.  Another use is if you want to have the \*(L"root path\*(R"
+be separate from the \*(L"user path.\*(R"  This is not set by default.
 .Ip "verifypw" 12
 This option controls when a password will be required when a
 user runs sudo with the \fB\-v\fR.  It has the following possible values:
 .Sp
 .Vb 3
-\&    all         All the user's sudoers entries for the
+\&    all         All the user's I<sudoers> entries for the
 \&                current host must have the C<NOPASSWD>
 \&                flag set to avoid entering a password.
 .Ve
 .Vb 4
-\&    any         At least one of the user's sudoers entries
+\&    any         At least one of the user's I<sudoers> entries
 \&                for the current host must have the
 \&                C<NOPASSWD> flag set to avoid entering a
 \&                password.
@@ -487,12 +563,12 @@ This option controls when a password will be required when a
 user runs sudo with the \fB\-l\fR.  It has the following possible values:
 .Sp
 .Vb 3
-\&    all         All the user's sudoers entries for the
+\&    all         All the user's I<sudoers> entries for the
 \&                current host must have the C<NOPASSWD>
 \&                flag set to avoid entering a password.
 .Ve
 .Vb 4
-\&    any         At least one of the user's sudoers entries
+\&    any         At least one of the user's I<sudoers> entries
 \&                for the current host must have the
 \&                C<NOPASSWD> flag set to avoid entering a
 \&                password.
diff --git a/usr.bin/sudo/version.h b/usr.bin/sudo/version.h
index 1fac06c59ee..34b9ce2afe3 100644
--- a/usr.bin/sudo/version.h
+++ b/usr.bin/sudo/version.h
@@ -37,6 +37,6 @@
 #ifndef _SUDO_VERSION_H
 #define _SUDO_VERSION_H
 
-static const char version[] = "1.6.2";
+static const char version[] = "1.6.2p1";
 
 #endif /* _SUDO_VERSION_H */