Expand section on Solaris privileges.

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index c955f63ae1c4223c8e199824d45cab9864d627fb..b1bf7b0b6a8f20931d9f3df4804e77b7339dc3a0 100644 (file)
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -441,6 +441,26 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
      privileges or limit privileges are specified with the command it will
      override any default values specified in _\bs_\bu_\bd_\bo_\be_\br_\bs.
 
+     A privilege set is a comma-separated list of privilege names.  The
+     ppriv(1) command can be used to list all privileges known to the system.
+     For example:
+
+     $ ppriv -l
+
+     In addition, there are several ``special'' privilege strings:
+
+     none      the empty set
+
+     all       the set of all privileges
+
+     zone      the set of all privileges available in the current zone
+
+     basic     the default set of privileges normal users are granted at login
+               time
+
+     Privileges can be excluded from a set by prefixing the privilege name
+     with either an `!' or `-' character.
+
    T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
      A command may have zero or more tags associated with it.  There are ten
      possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 8f0b5dd29e824dd57e65149e17b20283f0a78213..a710746779b65799b227b50f916dc4730f2d7241 100644 (file)
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -964,6 +964,41 @@ privilege set associated with a command.
 If privileges or limit privileges are specified with the command
 it will override any default values specified in
 \fIsudoers\fR.
+.PP
+A privilege set is a comma-separated list of privilege names.
+The
+ppriv(1)
+command can be used to list all privileges known to the system.
+For example:
+.nf
+.sp
+.RS 0n
+$ ppriv -l
+.RE
+.fi
+.PP
+In addition, there are several
+``special''
+privilege strings:
+.TP 10n
+none
+the empty set
+.TP 10n
+all
+the set of all privileges
+.TP 10n
+zone
+the set of all privileges available in the current zone
+.TP 10n
+basic
+the default set of privileges normal users are granted at login time
+.PP
+Privileges can be excluded from a set by prefixing the privilege
+name with either an
+`\&!'
+or
+`\-'
+character.
 .SS "Tag_Spec"
 A command may have zero or more tags associated with it.
 There are

diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 7c039c2016967fd50376e5ca89d52b630a68bec8..ddef0f0f3844953dcc2d4e4ae91fd1c661e07482 100644 (file)
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -911,6 +911,36 @@ privilege set associated with a command.
 If privileges or limit privileges are specified with the command
 it will override any default values specified in
 .Em sudoers .
+.Pp
+A privilege set is a comma-separated list of privilege names.
+The
+.Xr ppriv 1
+command can be used to list all privileges known to the system.
+For example:
+.Bd -literal
+$ ppriv -l
+.Ed
+.Pp
+In addition, there are several
+.Dq special
+privilege strings:
+.Bl -tag -width 8n
+.It none
+the empty set
+.It all
+the set of all privileges
+.It zone
+the set of all privileges available in the current zone
+.It basic
+the default set of privileges normal users are granted at login time
+.El
+.Pp
+Privileges can be excluded from a set by prefixing the privilege
+name with either an
+.Ql \&!
+or
+.Ql \-
+character.
 .Ss Tag_Spec
 A command may have zero or more tags associated with it.
 There are