summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.bin/sudo/CHANGES7
-rw-r--r--usr.bin/sudo/INSTALL36
-rw-r--r--usr.bin/sudo/Makefile.in5
-rw-r--r--usr.bin/sudo/RUNSON3
-rw-r--r--usr.bin/sudo/configure52
-rw-r--r--usr.bin/sudo/configure.in16
-rw-r--r--usr.bin/sudo/find_path.c4
-rw-r--r--usr.bin/sudo/sudoers.5168
-rw-r--r--usr.bin/sudo/version.h2
9 files changed, 212 insertions, 81 deletions
diff --git a/usr.bin/sudo/CHANGES b/usr.bin/sudo/CHANGES
index 4ac334d196a..f2d9cc266e8 100644
--- a/usr.bin/sudo/CHANGES
+++ b/usr.bin/sudo/CHANGES
@@ -1242,3 +1242,10 @@ Sudo 1.6.1 released.
392) PAM fixups: custom prompts now work correctly and errors are
dealt with more sanely. Patches from Cloyce D. Spradling.
+
+Sudo 1.6.2 released.
+
+393) Users in the 'exempt' group shouldn't get their $PATH overridden
+ by 'secure-path'. Patch from jmknoble@pobox.com.
+
+394) Pam now works on HP-UX 11.0, thanks to Jeff A. Earickson.
diff --git a/usr.bin/sudo/INSTALL b/usr.bin/sudo/INSTALL
index 37f709ae906..20a1c59da55 100644
--- a/usr.bin/sudo/INSTALL
+++ b/usr.bin/sudo/INSTALL
@@ -159,11 +159,17 @@ Special features/options:
on the machine.
--with-pam
- Enable PAM support. Tested on Redhat Linux 5.x, 6.0 and
- Solaris 2.6, 7.
- NOTE: on RedHat Linux (and perhaps others) you *must* install
- an /etc/pam.d/sudo file. You may either use the sample.pam
- file included with sudo or use /etc/pam.d/su as a reference.
+ Enable PAM support. Tested on:
+ Redhat Linux 5.x, 6.0, and 6.1
+ Solaris 2.6 and 7
+ HP-UX 11.0
+ NOTE: on RedHat Linux you *must* install an /etc/pam.d/sudo file.
+ You may either use the sample.pam file included with sudo or use
+ /etc/pam.d/su as a reference. On Solaris and HP-UX 11 systems
+ you should check (and understand) the contents of /etc/pam.conf.
+ Do a "man pam.conf" for more information and consider using the
+ "debug" option, if available, with your PAM libraries in
+ /etc/pam.conf to obtain syslog output for debugging purposes.
--with-AFS
Enable AFS support with kerberos authentication. Should work under
@@ -171,8 +177,14 @@ Special features/options:
link without it.
--with-DCE
- Enable DCE support. Known to work on HP-UX 9.X and 10.0. Other
- platforms may require source code and/or `configure' changes.
+ Enable DCE support. Known to work on HP-UX 9.X, 10.X, and 11.0.
+ The use of PAM is recommended for HP-UX 11.X systems, since PAM is
+ fully implemented (this is not true for 10.20 and earlier versions).
+ Check to see that your 11.X (or other) system uses DCE via PAM by
+ looking at /etc/pam.conf to see if "libpam_dce" libraries are
+ referenced there. Other platforms may require source code and/or
+ `configure' changes; you should check to see if your platform can
+ access DCE via PAM before using this option.
--disable-sia
Disable SIA support. This is the "Security Integration Architecture"
@@ -228,11 +240,11 @@ Special features/options:
security hole as most editors allow a user to get a shell (which would
be a root shell and hence, no logging).
-The following options are also configurable at runtime:
-
--with-otp-only
This option is now just an alias for --without-passwd.
+The following options are also configurable at runtime:
+
--with-long-otp-prompt
When validating with a One Time Password scheme (S/Key or OPIE), a
two-line prompt is used to make it easier to cut and paste the
@@ -286,7 +298,7 @@ The following options are also configurable at runtime:
Default is "*** SECURITY information for %h ***".
--without-mail-if-no-user
- Normally, sudo will mail to the "alermail" user if the user invoking
+ Normally, sudo will mail to the "alertmail" user if the user invoking
sudo is not in the sudoers file. This option disables that behavior.
--with-mail-if-no-host
@@ -357,8 +369,8 @@ The following options are also configurable at runtime:
The default is 5, set this to 0 for no password timeout.
--with-tty-tickets
- This makes sudo use a different ticket file for each tty (per user).
- Ie: instead of the ticket file being "username" it is "username:tty".
+ This makes sudo use a different ticket file for each user/tty combo.
+ Ie: instead of the ticket path being "username" it is "username/tty".
This is useful for "shared" accounts like "operator". Note that this
means that there will be more files in the timestamp dir. This is not
a problem if your system has a cron job to remove of files from /tmp
diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in
index fea49bbe89c..3795d0da53e 100644
--- a/usr.bin/sudo/Makefile.in
+++ b/usr.bin/sudo/Makefile.in
@@ -34,7 +34,7 @@
#
# @configure_input@
#
-# $Sudo: Makefile.in,v 1.193 2000/01/17 23:46:24 millert Exp $
+# $Sudo: Makefile.in,v 1.194 2000/01/24 15:48:46 millert Exp $
#
#### Start of system configuration section. ####
@@ -148,7 +148,7 @@ DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES FAQ HISTORY INSTALL INSTALL.configure \
sample.sudoers sudo.cat sudo.man sudo.pod sudoers sudoers.cat \
sudoers.man sudoers.pod visudo.cat visudo.man visudo.pod auth/API
-BINFILES= BUGS CHANGES FAQ HISTORY LICENSE README TODO TROUBLESHOOTING \
+BINFILES= BUGS CHANGES HISTORY LICENSE README TODO TROUBLESHOOTING \
UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \
sudo sudo.cat sudo.man sudo.pod sudoers sudoers.cat sudoers.man \
sudoers.pod visudo visudo.cat visudo.man visudo.pod
@@ -342,6 +342,7 @@ bindist:
cp ../../$(srcdir)/$$i . ; \
fi ; \
done ; \
+ ln -s TROUBLESHOOTING FAQ ; \
for i in $(BINSPECIAL) ; do \
if [ -f ../../$$i ]; then \
cp ../../$$i `basename $$i .binary` ; \
diff --git a/usr.bin/sudo/RUNSON b/usr.bin/sudo/RUNSON
index c3ffa3e8f16..15284a3c6a9 100644
--- a/usr.bin/sudo/RUNSON
+++ b/usr.bin/sudo/RUNSON
@@ -38,7 +38,8 @@ HP-UX 10.20 hp700 bundled cc 1.6.2 Todd Miller none
HP-UX 10.20 PA-RISC2.0 bundled cc 1.5.4 Leon von Stauber none
HP-UX 11.00 hp700 ansi-c 1.5.5b1 Alek Komarnitsky --with-C2
HP-UX 11.00 hp700 bundled cc 1.5.5p5 Lynn Osburn none
-HP-UX 10.20 hp700 gcc 2.8.1 1.5.6b2 Jeff Earickson --with-DCE
+HP-UX 11.00 hp700 HP C compiler 1.6.2 Jeff Earickson --with-pam
+HP-UX 10.20 hp700 gcc 2.95.2 1.6.2 Jeff Earickson --with-DCE
Ultrix 4.3 mips bundled cc 1.6.2 Todd Miller none
Ultrix 4.3 mips gcc2.7.2.1 1.5.9 Todd Miller --with-skey
IRIX 4.05H mips gcc2.6.3 1.5.3 Todd Miller none
diff --git a/usr.bin/sudo/configure b/usr.bin/sudo/configure
index 876186a6875..438e0cd795e 100644
--- a/usr.bin/sudo/configure
+++ b/usr.bin/sudo/configure
@@ -7630,6 +7630,44 @@ EOF
AUTH_OBJS="${AUTH_OBJS} kerb5.o"
fi
+if test "$with_pam" = "yes"; then
+ echo $ac_n "checking for -ldl""... $ac_c" 1>&6
+echo "configure:7636: checking for -ldl" >&5
+if eval "test \"`echo '$''{'ac_cv_lib_dl'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ ac_save_LIBS="$LIBS"
+LIBS="-ldl $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 7643 "configure"
+#include "confdefs.h"
+
+int main() {
+main()
+; return 0; }
+EOF
+if { (eval echo configure:7650: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ rm -rf conftest*
+ ac_cv_lib_dl=yes
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ ac_cv_lib_dl=no
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+echo "$ac_t""$ac_cv_lib_dl" 1>&6
+if test "$ac_cv_lib_dl" = yes; then
+ SUDO_LIBS="${SUDO_LIBS} -ldl -lpam"
+else
+ SUDO_LIBS="${SUDO_LIBS} -lpam"
+fi
+
+fi
+
if test "$with_kerb4" = "yes"; then
cat >> confdefs.h <<\EOF
#define HAVE_KERB4 1
@@ -7658,21 +7696,21 @@ EOF
fi
echo $ac_n "checking for -ldes""... $ac_c" 1>&6
-echo "configure:7662: checking for -ldes" >&5
+echo "configure:7700: checking for -ldes" >&5
if eval "test \"`echo '$''{'ac_cv_lib_des'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ac_save_LIBS="$LIBS"
LIBS="-ldes $LIBS"
cat > conftest.$ac_ext <<EOF
-#line 7669 "configure"
+#line 7707 "configure"
#include "confdefs.h"
int main() {
main()
; return 0; }
EOF
-if { (eval echo configure:7676: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+if { (eval echo configure:7714: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
rm -rf conftest*
ac_cv_lib_des=yes
else
@@ -7695,10 +7733,6 @@ fi
AUTH_OBJS="${AUTH_OBJS} kerb4.o"
fi
-if test "$with_pam" = "yes"; then
- SUDO_LIBS="${SUDO_LIBS} -ldl -lpam"
-fi
-
if test "$with_AFS" = "yes"; then
# looks like the "standard" place for AFS libs is /usr/afsws/lib
@@ -7795,7 +7829,7 @@ if test "$with_authenticate" = "yes"; then
fi
echo $ac_n "checking for log file location""... $ac_c" 1>&6
-echo "configure:7799: checking for log file location" >&5
+echo "configure:7833: checking for log file location" >&5
if test -n "$with_logpath"; then
echo "$ac_t""$with_logpath" 1>&6
cat >> confdefs.h <<EOF
@@ -7825,7 +7859,7 @@ else
fi
echo $ac_n "checking for timestamp file location""... $ac_c" 1>&6
-echo "configure:7829: checking for timestamp file location" >&5
+echo "configure:7863: checking for timestamp file location" >&5
if test -n "$with_timedir"; then
echo "$ac_t""$with_timedir" 1>&6
cat >> confdefs.h <<EOF
diff --git a/usr.bin/sudo/configure.in b/usr.bin/sudo/configure.in
index 86a446617a1..aab9a996685 100644
--- a/usr.bin/sudo/configure.in
+++ b/usr.bin/sudo/configure.in
@@ -1,6 +1,6 @@
dnl
dnl Process this file with GNU autoconf to produce a configure script.
-dnl $Sudo: configure.in,v 1.299 2000/01/19 19:07:24 millert Exp $
+dnl $Sudo: configure.in,v 1.300 2000/01/27 20:01:37 millert Exp $
dnl
dnl Copyright (c) 1994-1996,1998-1999 Todd C. Miller <Todd.Miller@courtesan.com>
dnl
@@ -1433,6 +1433,13 @@ if test "$with_kerb5" = "yes"; then
fi
dnl
+dnl PAM libs
+dnl
+if test "$with_pam" = "yes"; then
+ AC_HAVE_LIBRARY(dl, SUDO_LIBS="${SUDO_LIBS} -ldl -lpam", SUDO_LIBS="${SUDO_LIBS} -lpam")
+fi
+
+dnl
dnl Find kerberos 4 includes and libs or complain
dnl
if test "$with_kerb4" = "yes"; then
@@ -1464,13 +1471,6 @@ if test "$with_kerb4" = "yes"; then
fi
dnl
-dnl PAM libs
-dnl
-if test "$with_pam" = "yes"; then
- SUDO_LIBS="${SUDO_LIBS} -ldl -lpam"
-fi
-
-dnl
dnl extra AFS libs and includes
dnl
if test "$with_AFS" = "yes"; then
diff --git a/usr.bin/sudo/find_path.c b/usr.bin/sudo/find_path.c
index 4d84b4e79dc..1c6c05cc72b 100644
--- a/usr.bin/sudo/find_path.c
+++ b/usr.bin/sudo/find_path.c
@@ -64,7 +64,7 @@ extern int lstat __P((const char *, struct stat *));
#endif /* !STDC_HEADERS */
#ifndef lint
-static const char rcsid[] = "$Sudo: find_path.c,v 1.94 1999/10/07 21:20:57 millert Exp $";
+static const char rcsid[] = "$Sudo: find_path.c,v 1.95 2000/01/27 04:31:58 millert Exp $";
#endif /* lint */
/*
@@ -108,7 +108,7 @@ find_path(infile, outfile)
* Grab PATH out of the environment (or from the string table
* if SECURE_PATH is in effect) and make a local copy.
*/
- if (def_str(I_SECURE_PATH))
+ if (def_str(I_SECURE_PATH) && !user_is_exempt())
path = def_str(I_SECURE_PATH);
else if ((path = getenv("PATH")) == NULL)
return(NOT_FOUND);
diff --git a/usr.bin/sudo/sudoers.5 b/usr.bin/sudo/sudoers.5
index be44be9391c..0ba2eebcba8 100644
--- a/usr.bin/sudo/sudoers.5
+++ b/usr.bin/sudo/sudoers.5
@@ -1,12 +1,12 @@
.rn '' }`
-''' $RCSfile: sudoers.5,v $$Revision: 1.3 $$Date: 2000/01/24 04:22:53 $
+''' $RCSfile: sudoers.5,v $$Revision: 1.4 $$Date: 2000/01/28 01:10:20 $
'''
''' $Log: sudoers.5,v $
-''' Revision 1.3 2000/01/24 04:22:53 millert
-''' sudo 1.6.2
+''' Revision 1.4 2000/01/28 01:10:20 millert
+''' 1.6.2p1
'''
-''' Revision 1.22 2000/01/24 03:57:49 millert
-''' Add netgroup caveat
+''' Revision 1.23 2000/01/26 21:21:28 millert
+''' Expanded docs on sudoers 'defaults' options based on INSTALL file info.
'''
'''
.de Sh
@@ -99,7 +99,7 @@
.nr % 0
.rr F
.\}
-.TH sudoers 5 "1.6.2" "23/Jan/2000" "FILE FORMATS"
+.TH sudoers 5 "1.6.2" "26/Jan/2000" "FILE FORMATS"
.UC
.if n .hy 0
.if n .na
@@ -379,96 +379,172 @@ be escaped with a backslash (\f(CW\e\fR).
.PP
\fBFlags\fR:
.Ip "long_otp_prompt" 12
-Put \s-1OTP\s0 prompt on its own line
+When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR),
+a two-line prompt is used to make it easier to cut and paste the
+challenge to a local window. It's not as pretty as the default but
+some people find it more convenient. This flag is off by default.
.Ip "ignore_dot" 12
-Ignore \*(L'.\*(R' in \f(CW$PATH\fR
+If set, \fBsudo\fR will ignore \*(L'.\*(R' or \*(L'\*(R' (current dir) in \f(CW$PATH\fR;
+the \f(CW$PATH\fR itself is not modified. This flag is off by default.
.Ip "mail_always" 12
-Always send mail when sudo is run
+Send mail to the \fImailto\fR user every time a users runs sudo.
+This flag is off by default.
.Ip "mail_no_user" 12
-Send mail if the user is not in sudoers
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user is not in the \fIsudoers\fR file. This flag is on by default.
.Ip "mail_no_host" 12
-Send mail if the user is not in sudoers for this host
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user exists in the \fIsudoers\fR file, but is not allowed to run
+commands on the current host. This flag is off by default.
.Ip "mail_no_perms" 12
-Send mail if the user is not allowed to run a command
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user allowed to use sudo but the command they are trying is not
+listed in their \fIsudoers\fR file entry. This flag is off by default.
.Ip "tty_tickets" 12
-Use a separate timestamp for each user/tty combo
+If set, users must authenticate on a per-tty basis. Normally,
+\fBsudo\fR uses a directory in the ticket dir with the same name as
+the user running it. With this flag enabled, \fBsudo\fR will use a
+file named for the tty the user is logged in on in that directory.
+This flag is off by default.
.Ip "lecture" 12
-Lecture user the first time they run sudo
+If set, a user will receive a short lecture the first time he/she
+runs \fBsudo\fR. This flag is on by default.
.Ip "authenticate" 12
-Require users to authenticate by default
+If set, users must authenticate themselves via a password (or other
+means of authentication) before they may run commands. This default
+may be overridden via the \f(CWPASSWD\fR and \f(CWNOPASSWD\fR tags.
+This flag is on by default.
.Ip "root_sudo" 12
-Root may run sudo
+If set, root is allowed to run sudo too. Disabling this prevents users
+from \*(L"chaining\*(R" sudo commands to get a root shell by doing something
+like \f(CW"sudo sudo /bin/sh"\fR.
+This flag is on by default.
.Ip "log_host" 12
-Log the hostname in the (non-syslog) log file
+If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file.
+This flag is off by default.
.Ip "log_year" 12
-Log the year in the (non-syslog) log file
+If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
+This flag is off by default.
.Ip "shell_noargs" 12
-If sudo is invoked with no arguments, start a shell
+If set and \fBsudo\fR is invoked with no arguments it acts as if the
+\f(CW-s\fR flag had been given. That is, it runs a shell as root (the
+shell is determined by the \f(CWSHELL\fR environment variable if it is
+set, falling back on the shell listed in the invoking user's
+/etc/passwd entry if not). This flag is off by default.
.Ip "set_home" 12
-Set \f(CW$HOME\fR to the target user when starting a shell with \f(CW-s\fR
+If set and \fBsudo\fR is invoked with the \f(CW-s\fR flag the \f(CWHOME\fR
+environment variable will be set to the home directory of the target
+user (which is root unless the \f(CW-u\fR option is used). This effectively
+makes the \f(CW-s\fR flag imply \f(CW-H\fR. This flag is off by default.
.Ip "path_info" 12
-Allow some information gathering to give useful error messages
+Normally, \fBsudo\fR will tell the user when a command could not be
+found in their \f(CW$PATH\fR. Some sites may wish to disable this as
+it could be used to gather information on the location of executables
+that the normal user does not have access to. The disadvantage is
+that if the executable is simply not in the user's \f(CW$PATH\fR, \fBsudo\fR
+will tell the user that they are not allowed to run it, which can
+be confusing. This flag is off by default.
.Ip "fqdn" 12
-Require fully-qualified hostnames in the sudoers file
+Set this flag if you want to put fully qualified hostnames in the
+\fIsudoers\fR file. Ie: instead of myhost you would use myhost.mydomain.edu.
+You may still use the short form if you wish (and even mix the two).
+Beware that turning on \fIfqdn\fR requires sudo to make \s-1DNS\s0 lookups
+which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
+if the machine is not plugged into the network). Also note that
+you must use the host's official name as \s-1DNS\s0 knows it. That is,
+you may not use a host alias (\f(CWCNAME\fR entry) due to performance
+issues and the fact that there is no way to get all aliases from
+\s-1DNS\s0. If your machine's hostname (as returned by the \f(CWhostname\fR
+command) is already fully qualified you shouldn't need to set
+\fIfqfn\fR. This flag is off by default.
.Ip "insults" 12
-Insult the user when they enter an incorrect password
+If set, sudo will insult users when they enter an incorrect
+password. This flag is off by default.
.Ip "requiretty" 12
-Only allow the user to run sudo if they have a tty
+If set, sudo will only run when the user is logged in to a real
+tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since
+\fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn
+of echo when there is no tty present, some sites may with to set
+this flag to prevent a user from entering a visible password. This
+flag is off by default.
.PP
\fBIntegers\fR:
.Ip "passwd_tries" 12
-Number of tries to enter a password
+The number of tries a user gets to enter his/her password before
+sudo logs the failure and exits. The default is 3.
.PP
\fBIntegers that can be used in a boolean context\fR:
.Ip "loglinelen" 12
-Length at which to wrap log file lines (use 0 or negate for no wrap)
+Number of characters per line for the file log. This value is used
+to decide when to wrap lines for nicer log files. This has no
+effect on the syslog log file, only the file log. The default is
+80 (use 0 or negate to disable word wrap).
.Ip "timestamp_timeout" 12
-Authentication timestamp timeout
+Number of minutes that can elapse before \fBsudo\fR will ask for a passwd
+again. The default is 5, set this to 0 to always prompt for a password.
.Ip "passwd_timeout" 12
-Password prompt timeout
+Number of minutes before the sudo password prompt times out.
+The default is 5, set this to 0 for no password timeout.
.Ip "umask" 12
-Umask to use or 0777 to use user's
+Umask to use when running the root command. Set this to 0777 to
+not override the user's umask. The default is 0022.
.PP
\fBStrings\fR:
.Ip "mailsub" 12
-Subject line for mail messages
+Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
+will expand to the hostname of the machine.
+Default is \*(L"*** \s-1SECURITY\s0 information for \f(CW%h\fR ***\*(R".
.Ip "badpass_message" 12
-Incorrect password message
+Message that is displayed if a user enters an incorrect password.
+The default is \*(L"Sorry, try again.\*(R" unless insults are enabled.
.Ip "timestampdir" 12
-Path to authentication timestamp dir
+The directory in which \fBsudo\fR stores its timestamp files.
+The default is either \f(CW/var/run/sudo\fR or \f(CW/tmp/sudo\fR.
.Ip "passprompt" 12
-Default password prompt
+The default prompt to use when asking for a password; can be overridden
+via the \f(CW-p\fR option or the \f(CWSUDO_PROMPT\fR environment variable. Supports
+two escapes: \*(L"%u\*(R" expands to the user's login name and \*(L"%h\*(R" expands
+to the local hostname. The default value is \*(L"Password:\*(R".
.Ip "runas_default" 12
-Default user to run commands as
+The default user to run commands as if the \f(CW-u\fR flag is not specified
+on the command line. This defaults to \*(L"root\*(R".
.Ip "syslog_goodpri" 12
-Syslog priority to use when user authenticates successfully
+Syslog priority to use when user authenticates successfully.
+Defaults to \*(L"notice\*(R".
.Ip "syslog_badpri" 12
-Syslog priority to use when user authenticates unsuccessfully
+Syslog priority to use when user authenticates unsuccessfully.
+Defaults to \*(L"alert\*(R".
.PP
\fBStrings that can be used in a boolean context\fR:
.Ip "syslog" 12
-Syslog facility if syslog is being used for logging (negate to disable syslog)
+Syslog facility if syslog is being used for logging (negate to
+disable syslog logging). Defaults to \*(L"local2\*(R".
.Ip "mailerpath" 12
-Path to mail program
+Path to mail program used to send warning mail.
+Defaults to the path to sendmail found at configure time.
.Ip "mailerflags" 12
-Flags for mail program
+Flags to use when invoking mailer. Defaults to \f(CW-t\fR.
.Ip "mailto" 12
-Address to send mail to
+Address to send warning and erorr mail to. Defaults to \*(L"root\*(R".
.Ip "exempt_group" 12
-Users in this group are exempt from password and \s-1PATH\s0 requirements
+Users in this group are exempt from password and \s-1PATH\s0 requirements.
+This is not set by default.
.Ip "secure_path" 12
-Value to override user's \f(CW$PATH\fR with
+Path used for every command run from \fBsudo\fR. If you don't trust the
+people running sudo to have a sane \f(CWPATH\fR environment variable you may
+want to use this. Another use is if you want to have the \*(L"root path\*(R"
+be separate from the \*(L"user path.\*(R" This is not set by default.
.Ip "verifypw" 12
This option controls when a password will be required when a
user runs sudo with the \fB\-v\fR. It has the following possible values:
.Sp
.Vb 3
-\& all All the user's sudoers entries for the
+\& all All the user's I<sudoers> entries for the
\& current host must have the C<NOPASSWD>
\& flag set to avoid entering a password.
.Ve
.Vb 4
-\& any At least one of the user's sudoers entries
+\& any At least one of the user's I<sudoers> entries
\& for the current host must have the
\& C<NOPASSWD> flag set to avoid entering a
\& password.
@@ -487,12 +563,12 @@ This option controls when a password will be required when a
user runs sudo with the \fB\-l\fR. It has the following possible values:
.Sp
.Vb 3
-\& all All the user's sudoers entries for the
+\& all All the user's I<sudoers> entries for the
\& current host must have the C<NOPASSWD>
\& flag set to avoid entering a password.
.Ve
.Vb 4
-\& any At least one of the user's sudoers entries
+\& any At least one of the user's I<sudoers> entries
\& for the current host must have the
\& C<NOPASSWD> flag set to avoid entering a
\& password.
diff --git a/usr.bin/sudo/version.h b/usr.bin/sudo/version.h
index 1fac06c59ee..34b9ce2afe3 100644
--- a/usr.bin/sudo/version.h
+++ b/usr.bin/sudo/version.h
@@ -37,6 +37,6 @@
#ifndef _SUDO_VERSION_H
#define _SUDO_VERSION_H
-static const char version[] = "1.6.2";
+static const char version[] = "1.6.2p1";
#endif /* _SUDO_VERSION_H */