Add a check in visudo for runas_default being set after it has already

been used.

diff --git a/visudo.pod b/visudo.pod
index dd123e1b9b9326a869ab671e8932859a758d82bd..045ea2c4b069fe71ac6d9c42dc48d3989e892880 100644 (file)
--- a/visudo.pod
+++ b/visudo.pod
@@ -82,7 +82,7 @@ B<visudo> will exit with a value of 1.
 
 Specify and alternate I<sudoers> file location.  With this option
 B<visudo> will edit (or check) the I<sudoers> file of your choice,
-instead of the default, @sysconfdir@/sudoers.  The lock file used
+instead of the default, F<@sysconfdir@/sudoers>.  The lock file used
 is the specified I<sudoers> file with ".tmp" appended to it.
 
 =item -q
@@ -131,6 +131,18 @@ underscore ('_') character.  If the latter, you can ignore
 the warnings (B<sudo> will not complain).  In B<-s> (strict)
 mode these are errors, not warnings.
 
+=item Warning: runas_default set after old value is in use ...
+
+You have a I<runas_default> Defaults setting listed in the I<sudoers>
+file after its value has already been used.  This means that entries
+prior to the I<runas_default> setting will match based on the default
+value of I<runas_default> (C<@runas_default@>) whereas entries
+B<after> the I<runas_default> setting will match based on the new
+value.  This is usually unintentional and in most cases the
+<runas_default> setting should be placed before any C<Runas_Alias>
+or User specifications.  In B<-s> (strict) mode this is an error,
+not a warning.
+
 =back
 
 =head1 ENVIRONMENT