Mention how !foo is not the same as ALL,!foo

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 1ecc8a66b428a29e5b524763bff742821ca036c6..bc835cef51ada59fec4e71cdfe3cad41504df17d 100644 (file)
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -668,11 +668,24 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
      since in a command context, it allows the user to run a\ban\bny\by command on the
      system.
 
-     An exclamation point (`!') can be used as a logical _\bn_\bo_\bt operator both in
-     an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd.  This allows one to exclude certain
-     values.  Note, however, that using a `!' in conjunction with the built-in
-     A\bAL\bLL\bL alias to allow a user to run ``all but a few'' commands rarely works
-     as intended (see _\bS_\bE_\bC_\bU_\bR_\bI_\bT_\bY _\bN_\bO_\bT_\bE_\bS below).
+     An exclamation point (`!') can be used as a logical _\bn_\bo_\bt operator in a
+     list or _\ba_\bl_\bi_\ba_\bs as well as in front of a Cmnd.  This allows one to exclude
+     certain values.  For the `!' operator to be effective, there must be
+     something for it to exclude.  For example, to match all users except for
+     root one would use:
+
+         ALL,!root
+
+     If the A\bAL\bLL\bL, is omitted, as in:
+
+         !root
+
+     it would explicitly deny root but not match any other users.  This is
+     different from a true ``negation'' operator.
+
+     Note, however, that using a `!' in conjunction with the built-in A\bAL\bLL\bL
+     alias to allow a user to run ``all but a few'' commands rarely works as
+     intended (see _\bS_\bE_\bC_\bU_\bR_\bI_\bT_\bY _\bN_\bO_\bT_\bE_\bS below).
 
      Long lines can be continued with a backslash (`\') as the last character
      on the line.

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 703ad2d834aaea9040dd0f435a279ce8b0740e5b..6494bb55003a5b1d9a59136143f6870dcba7b04b 100644 (file)
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -1490,11 +1490,37 @@ An exclamation point
 (`\&!')
 can be used as a logical
 \fInot\fR
-operator both in an
+operator in a list or
 \fIalias\fR
-and in front of a
+as well as in front of a
 \fRCmnd\fR.
 This allows one to exclude certain values.
+For the
+`\&!'
+operator to be effective, there must be something for it to exclude.
+For example, to match all users except for root one would use:
+.nf
+.sp
+.RS 4n
+ALL,!root
+.RE
+.fi
+.PP
+If the
+\fBALL\fR,
+is omitted, as in:
+.nf
+.sp
+.RS 4n
+!root
+.RE
+.fi
+.PP
+it would explicitly deny root but not match any other users.
+This is different from a true
+``negation''
+operator.
+.PP
 Note, however, that using a
 `\&!'
 in conjunction with the built-in

diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index cf0d1da6f8c7200f61a6a4310cbe4bd242e3ac18..8d642d91c456b80920d6293f61c1f70ed55ed344 100644 (file)
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -1393,11 +1393,31 @@ An exclamation point
 .Pq Ql \&!
 can be used as a logical
 .Em not
-operator both in an
+operator in a list or
 .Em alias
-and in front of a
+as well as in front of a
 .Li Cmnd .
 This allows one to exclude certain values.
+For the
+.Ql \&!
+operator to be effective, there must be something for it to exclude.
+For example, to match all users except for root one would use:
+.Bd -literal -offset 4n
+ALL,!root
+.Ed
+.Pp
+If the
+.Sy ALL ,
+is omitted, as in:
+.Bd -literal -offset 4n
+!root
+.Ed
+.Pp
+it would explicitly deny root but not match any other users.
+This is different from a true
+.Dq negation
+operator.
+.Pp
 Note, however, that using a
 .Ql \&!
 in conjunction with the built-in