--- embedaddon/sudo/doc/sudoers.mdoc.in	2013/07/22 10:46:12	1.1.1.2
+++ embedaddon/sudo/doc/sudoers.mdoc.in	2013/10/14 07:56:34	1.1.1.3
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd April 30, 2013
+.Dd August 31, 2013
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -1597,7 +1597,7 @@ This effectively means that the
 option is always implied.
 Note that
 .Ev HOME
-is already set when the the
+is already set when the
 .Em env_reset
 option is enabled, so
 .Em always_set_home
@@ -2080,11 +2080,40 @@ may be needed on older PAM implementations or on opera
 opening a PAM session changes the utmp or wtmp files.
 If PAM session support is disabled, resource limits may not be updated
 for the command being run.
+If
+.Em pam_session ,
+.Em pam_setcred ,
+and
+.Em use_pty
+are disabled and I/O logging has not been configured,
+.Nm sudo
+will execute the command directly instead of running it as a child
+process.
 This flag is
 .Em @pam_session@
 by default.
 .Pp
 This setting is only supported by version 1.8.7 or higher.
+.It pam_setcred
+On systems that use PAM for authentication,
+.Nm sudo
+will attempt to establish credentials for the target user by default,
+if supported by the underlying authentication system.
+One example of a credential is a Kerberos ticket.
+If
+.Em pam_session ,
+.Em pam_setcred ,
+and
+.Em use_pty
+are disabled and I/O logging has not been configured,
+.Nm sudo
+will execute the command directly instead of running it as a child
+process.
+This flag is
+.Em on
+by default.
+.Pp
+This setting is only supported by version 1.8.8 or higher.
 .It passprompt_override
 The password prompt specified by
 .Em passprompt
@@ -2212,7 +2241,7 @@ option imply
 .Fl H .
 Note that
 .Ev HOME
-is already set when the the
+is already set when the
 .Em env_reset
 option is enabled, so
 .Em set_home
@@ -2661,6 +2690,30 @@ version 1.8.1 this option is no longer supported.
 The path to the noexec file should now be set in the
 .Xr sudo.conf @mansectform@
 file.
+.It pam_login_service
+On systems that use PAM for authentication, this is the service
+name used when the
+.Fl i
+option is specified.
+The default value is
+.Dq Li @pam_login_service@ .
+See the description of
+.Em pam_service
+for more information.
+.Pp
+This setting is only supported by version 1.8.8 or higher.
+.It pam_service
+On systems that use PAM for authentication, the service name
+specifies the PAM policy to apply.
+This usually corresponds to an entry in the
+.Pa pam.conf
+file or a file in the
+.Pa /etc/pam.d
+directory.
+The default value is
+.Dq Li sudo .
+.Pp
+This setting is only supported by version 1.8.8 or higher.
 .It passprompt
 The default prompt to use when asking for a password; can be overridden via the
 .Fl p
@@ -2753,7 +2806,7 @@ Defaults to
 .Li @goodpri@ .
 .Pp
 See
-.Sx syslog_badpri
+.Em syslog_badpri
 for the list of supported syslog priorities.
 .It sudoers_locale
 Locale to use when parsing the sudoers file, logging commands, and
@@ -3543,6 +3596,10 @@ Lastly, we disable shell escapes for the commands in t
 and
 .Pa /usr/bin/less
 .Pc .
+Note that this will not effectively constrain users with
+.Nm sudo
+.Sy ALL
+privileges.
 .Bd -literal
 # Override built-in defaults
 Defaults		syslog=auth
@@ -3774,6 +3831,14 @@ belonging to the
 and
 .Em SHELLS
 .Li Cmnd_Aliases .
+While not specifically mentioned in the rule, the commands in the
+.Em PAGERS
+.Li Cmnd_Alias
+all reside in
+.Pa /usr/bin
+and have the
+.Em noexec
+option set.
 .Bd -literal
 steve		CSNETS = (operator) /usr/local/op_commands/
 .Ed