From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Thu, 23 Mar 2000 03:20:57 +0000 (+0000)
Subject: Document set_logname option and enbolden refs to sudo and visudo.
X-Git-Tag: SUDO_1_6_3~23
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4c8b4fad56354d5e8b81d49c000c57e024fa1223;p=sudo

Document set_logname option and enbolden refs to sudo and visudo.
---

diff --git a/sudoers.cat b/sudoers.cat
index a98a5db2c..60ac83e7c 100644
--- a/sudoers.cat
+++ b/sudoers.cat
@@ -237,7 +237,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
                    modified.  This flag is off by default.
 
        mail_always Send mail to the _m_a_i_l_t_o user every time a
-                   users runs sudo.  This flag is off by default.
+                   users runs ssssuuuuddddoooo.  This flag is off by default.
 
        mail_no_user
                    If set, mail will be sent to the _m_a_i_l_t_o user
@@ -253,7 +253,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 
        mail_no_perms
                    If set, mail will be sent to the _m_a_i_l_t_o user
-                   if the invoking user allowed to use sudo but
+                   if the invoking user allowed to use ssssuuuuddddoooo but
                    the command they are trying is not listed in
                    their _s_u_d_o_e_r_s file entry.  This flag is off by
 
@@ -289,9 +289,9 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
                    may be overridden via the PASSWD and NOPASSWD
                    tags.  This flag is on by default.
 
-       root_sudo   If set, root is allowed to run sudo too.
+       root_sudo   If set, root is allowed to run ssssuuuuddddoooo too.
                    Disabling this prevents users from "chaining"
-                   sudo commands to get a root shell by doing
+                   ssssuuuuddddoooo commands to get a root shell by doing
                    something like "sudo sudo /bin/sh".  This flag
                    is on by default.
 
@@ -347,7 +347,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
                    instead of myhost you would use
                    myhost.mydomain.edu.  You may still use the
                    short form if you wish (and even mix the two).
-                   Beware that turning on _f_q_d_n requires sudo to
+                   Beware that turning on _f_q_d_n requires ssssuuuuddddoooo to
                    make DNS lookups which may make ssssuuuuddddoooo unusable
                    if DNS stops working (for example if the
                    machine is not plugged into the network).
@@ -361,11 +361,11 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
                    you shouldn't need to set _f_q_f_n.  This flag is
                    off by default.
 
-       insults     If set, sudo will insult users when they enter
+       insults     If set, ssssuuuuddddoooo will insult users when they enter
                    an incorrect password.  This flag is off by
                    default.
 
-       requiretty  If set, sudo will only run when the user is
+       requiretty  If set, ssssuuuuddddoooo will only run when the user is
                    logged in to a real tty.  This will disallow
                    things like "rsh somehost sudo ls" since
                    _r_s_h(1) does not allocate a tty.  Because it is
@@ -374,17 +374,17 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
                    flag to prevent a user from entering a visible
                    password.  This flag is off by default.
 
-       env_editor  If set, visudo will use the value of the
+       env_editor  If set, vvvviiiissssuuuuddddoooo will use the value of the
                    EDITOR or VISUAL environment falling back on
                    the default editor.  Note that this may create
                    a security hole as most editors allow a user
                    to get a shell (which would be a root shell
                    and not be logged).
 
-       rootpw      If set, sudo will prompt for the root password
+       rootpw      If set, ssssuuuuddddoooo will prompt for the root password
                    instead of the password of the invoking user.
 
-       runaspw     If set, sudo will prompt for the password of
+       runaspw     If set, ssssuuuuddddoooo will prompt for the password of
                    the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option
                    (defaults to root) instead of the password of
                    the invoking user.
@@ -400,22 +400,32 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
-       targetpw    If set, sudo will prompt for the password of
+       targetpw    If set, ssssuuuuddddoooo will prompt for the password of
                    the user specified by the -u flag (defaults to
                    root) instead of the password of the invoking
                    user.
 
+       set_logname Normally, ssssuuuuddddoooo will set the LOGNAME and USER
+                   environment variables to the name of the
+                   target user (usually root unless the -u flag
+                   is given).  However, since some programs
+                   (including the RCS revision control system)
+                   use LOGNAME to determine the real identity of
+                   the user, it may be desirable to change this
+                   behavior.  This can be done by negating the
+                   set_logname option.
+
        use_loginclass
-                   If set, sudo will apply the defaults specified
+                   If set, ssssuuuuddddoooo will apply the defaults specified
                    for the target user's login class if one
-                   exists.  Only available if sudo is configured
+                   exists.  Only available if ssssuuuuddddoooo is configured
                    with the --with-logincap option.
 
        IIIInnnntttteeeeggggeeeerrrrssss:
 
        passwd_tries
                    The number of tries a user gets to enter
-                   his/her password before sudo logs the failure
+                   his/her password before ssssuuuuddddoooo logs the failure
                    and exits.  The default is 3.
 
        IIIInnnntttteeeeggggeeeerrrrssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt:
@@ -434,7 +444,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
                    password.
 
        passwd_timeout
-                   Number of minutes before the sudo password
+                   Number of minutes before the ssssuuuuddddoooo password
                    prompt times out.  The default is 5, set this
                    to 0 for no password timeout.
 
@@ -444,16 +454,6 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 
        SSSSttttrrrriiiinnnnggggssss:
 
-       mailsub     Subject of the mail sent to the _m_a_i_l_t_o user.
-                   The escape %h will expand to the hostname of
-                   the machine.  Default is "*** SECURITY
-                   information for %h ***".
-
-       badpass_message
-                   Message that is displayed if a user enters an
-                   incorrect password.  The default is "Sorry,
-                   try again." unless insults are enabled.
-
 
 
 
@@ -466,6 +466,16 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
+       mailsub     Subject of the mail sent to the _m_a_i_l_t_o user.
+                   The escape %h will expand to the hostname of
+                   the machine.  Default is "*** SECURITY
+                   information for %h ***".
+
+       badpass_message
+                   Message that is displayed if a user enters an
+                   incorrect password.  The default is "Sorry,
+                   try again." unless insults are enabled.
+
        timestampdir
                    The directory in which ssssuuuuddddoooo stores its
                    timestamp files.  The default is _@_T_I_M_E_D_I_R_@.
@@ -491,12 +501,12 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
                    Syslog priority to use when user authenticates
                    unsuccessfully.  Defaults to "alert".
 
-       editor      Path to the editor to be used by visudo.  The
+       editor      Path to the editor to be used by vvvviiiissssuuuuddddoooo.  The
                    default is the path to vi on your system.
 
        SSSSttttrrrriiiinnnnggggssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt:
 
-       logfile     Path to the sudo log file (not the syslog log
+       logfile     Path to the ssssuuuuddddoooo log file (not the syslog log
                    file).  Setting a path turns on logging to a
                    file, negating this option turns it off.
 
@@ -511,16 +521,6 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
        mailerflags Flags to use when invoking mailer. Defaults to
                    -t.
 
-       mailto      Address to send warning and erorr mail to.
-                   Defaults to "root".
-
-       exempt_group
-                   Users in this group are exempt from password
-                   and PATH requirements.  This is not set by
-                   default.
-
-
-
 
 
 22/Mar/2000                   1.6.3                             8
@@ -532,15 +532,23 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
+       mailto      Address to send warning and erorr mail to.
+                   Defaults to "root".
+
+       exempt_group
+                   Users in this group are exempt from password
+                   and PATH requirements.  This is not set by
+                   default.
+
        secure_path Path used for every command run from ssssuuuuddddoooo.  If
-                   you don't trust the people running sudo to
+                   you don't trust the people running ssssuuuuddddoooo to
                    have a sane PATH environment variable you may
                    want to use this.  Another use is if you want
                    to have the "root path" be separate from the
                    "user path."  This is not set by default.
 
        verifypw    This option controls when a password will be
-                   required when a user runs sudo with the ----vvvv.
+                   required when a user runs ssssuuuuddddoooo with the ----vvvv.
                    It has the following possible values:
 
                        all         All the user's I<sudoers> entries for the
@@ -561,7 +569,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
                    The default value is `all'.
 
        listpw      This option controls when a password will be
-                   required when a user runs sudo with the ----llll.
+                   required when a user runs ssssuuuuddddoooo with the ----llll.
                    It has the following possible values:
 
                        all         All the user's I<sudoers> entries for the
@@ -579,14 +587,6 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
                        always      The user must always enter a password to use
                                    the B<-l> flag.
 
-                   The default value is `any'.
-
-       When logging via _s_y_s_l_o_g(3), sudo accepts the following
-       values for the syslog facility (the value of the ssssyyyysssslllloooogggg
-       Parameter): aaaauuuutttthhhhpppprrrriiiivvvv (if your OS supports it), aaaauuuutttthhhh,
-       ddddaaaaeeeemmmmoooonnnn, uuuusssseeeerrrr, llllooooccccaaaallll0000, llllooooccccaaaallll1111, llllooooccccaaaallll2222, llllooooccccaaaallll3333, llllooooccccaaaallll4444,
-       llllooooccccaaaallll5555, llllooooccccaaaallll6666, and llllooooccccaaaallll7777.  The following syslog
-
 
 
 22/Mar/2000                   1.6.3                             9
@@ -598,6 +598,13 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
+                   The default value is `any'.
+
+       When logging via _s_y_s_l_o_g(3), ssssuuuuddddoooo accepts the following
+       values for the syslog facility (the value of the ssssyyyysssslllloooogggg
+       Parameter): aaaauuuutttthhhhpppprrrriiiivvvv (if your OS supports it), aaaauuuutttthhhh,
+       ddddaaaaeeeemmmmoooonnnn, uuuusssseeeerrrr, llllooooccccaaaallll0000, llllooooccccaaaallll1111, llllooooccccaaaallll2222, llllooooccccaaaallll3333, llllooooccccaaaallll4444,
+       llllooooccccaaaallll5555, llllooooccccaaaallll6666, and llllooooccccaaaallll7777.  The following syslog
        priorities are supported: aaaalllleeeerrrrtttt, ccccrrrriiiitttt, ddddeeeebbbbuuuugggg, eeeemmmmeeeerrrrgggg, eeeerrrrrrrr,
        iiiinnnnffffoooo, nnnnoooottttiiiicccceeee, and wwwwaaaarrrrnnnniiiinnnngggg.
 
@@ -645,13 +652,6 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
        Then user ddddggggbbbb is now allowed to run _/_b_i_n_/_l_s as ooooppppeeeerrrraaaattttoooorrrr,
        but  _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rrrrooooooootttt.
 
-       NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD aaaannnndddd PPPPAAAASSSSSSSSWWWWDDDD
-
-       By default, ssssuuuuddddoooo requires that a user authenticate him or
-       herself before running a command.  This behavior can be
-       modified via the NOPASSWD tag.  Like a Runas_Spec, the
-       NOPASSWD tag sets a default for the commands that follow
-       it in the Cmnd_Spec_List.  Conversely, the PASSWD tag can
 
 
 
@@ -664,6 +664,13 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
+       NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD aaaannnndddd PPPPAAAASSSSSSSSWWWWDDDD
+
+       By default, ssssuuuuddddoooo requires that a user authenticate him or
+       herself before running a command.  This behavior can be
+       modified via the NOPASSWD tag.  Like a Runas_Spec, the
+       NOPASSWD tag sets a default for the commands that follow
+       it in the Cmnd_Spec_List.  Conversely, the PASSWD tag can
        be used to reverse things.  For example:
 
         ray    rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
@@ -711,13 +718,6 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
        line arguments, however, as slash ddddooooeeeessss get matched by
        wildcards.  This is to make a path like:
 
-           /usr/bin/*
-
-       match /usr/bin/who but not /usr/bin/X11/xterm.
-
-
-
-
 
 
 
@@ -730,6 +730,10 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
+           /usr/bin/*
+
+       match /usr/bin/who but not /usr/bin/X11/xterm.
+
        EEEExxxxcccceeeeppppttttiiiioooonnnnssss ttttoooo wwwwiiiillllddddccccaaaarrrrdddd rrrruuuulllleeeessss::::
 
        The following exceptions apply to the above rules:
@@ -778,10 +782,6 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
        Below are example _s_u_d_o_e_r_s entries.  Admittedly, some of
        these are a bit contrived.  First, we define our _a_l_i_a_s_e_s:
 
-        # User alias specification
-        User_Alias     FULLTIMERS = millert, mikef, dowdy
-        User_Alias     PARTTIMERS = bostley, jwfox, crawl
-        User_Alias     WEBMASTERS = will, wendy, wim
 
 
 
@@ -796,6 +796,11 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
 sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
+        # User alias specification
+        User_Alias     FULLTIMERS = millert, mikef, dowdy
+        User_Alias     PARTTIMERS = bostley, jwfox, crawl
+        User_Alias     WEBMASTERS = will, wendy, wim
+
         # Runas alias specification
         Runas_Alias    OP = root, operator
         Runas_Alias    DB = oracle, sybase
@@ -824,7 +829,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
         Cmnd_Alias     SU = /usr/bin/su
 
        Here we override some of the compiled in default values.
-       We want sudo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility
+       We want ssssuuuuddddoooo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility
        in all cases.  We don't want to subject the full time
        staff to the ssssuuuuddddoooo lecture, and user mmmmiiiilllllllleeeerrrrtttt need not give
        a password.  In addition, on the machines in the _S_E_R_V_E_R_S
@@ -845,11 +850,6 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
         %wheel         ALL = (ALL) ALL
 
        We let rrrrooooooootttt and any user in group wwwwhhhheeeeeeeellll run any command on
-       any host as any user.
-
-        FULLTIMERS     ALL = NOPASSWD: ALL
-
-       Full time sysadmins (mmmmiiiilllllllleeeerrrrtttt, mmmmiiiikkkkeeeeffff, and ddddoooowwwwddddyyyy) may run
 
 
 
@@ -862,6 +862,11 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
+       any host as any user.
+
+        FULLTIMERS     ALL = NOPASSWD: ALL
+
+       Full time sysadmins (mmmmiiiilllllllleeeerrrrtttt, mmmmiiiikkkkeeeeffff, and ddddoooowwwwddddyyyy) may run
        any command on any host without authenticating themselves.
 
         PARTTIMERS     ALL = ALL
@@ -912,11 +917,6 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 
         jim            +biglab = ALL
 
-       The user jjjjiiiimmmm may run any command on machines in the _b_i_g_l_a_b
-       netgroup.  SSSSuuuuddddoooo knows that "biglab" is a netgroup due to
-       the '+' prefix.
-
-
 
 
 22/Mar/2000                   1.6.3                            14
@@ -928,6 +928,10 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
+       The user jjjjiiiimmmm may run any command on machines in the _b_i_g_l_a_b
+       netgroup.  SSSSuuuuddddoooo knows that "biglab" is a netgroup due to
+       the '+' prefix.
+
         +secretaries   ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
 
        Users in the sssseeeeccccrrrreeeettttaaaarrrriiiieeeessss netgroup need to help manage the
@@ -978,10 +982,6 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
        Any user may mount or unmount a CD-ROM on the machines in
        the CDROM Host_Alias (orion, perseus, hercules) without
        entering a password.  This is a bit tedious for users to
-       type, so it is a prime candiate for encapsulating in a
-       shell script.
-
-
 
 
 
@@ -994,6 +994,9 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
+       type, so it is a prime candiate for encapsulating in a
+       shell script.
+
 SSSSEEEECCCCUUUURRRRIIIITTTTYYYY NNNNOOOOTTTTEEEESSSS
        It is generally not effective to "subtract" commands from
        ALL using the '!' operator.  A user can trivially
@@ -1047,9 +1050,6 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO
 
 
 
-
-
-
 
 22/Mar/2000                   1.6.3                            16
 
diff --git a/sudoers.man.in b/sudoers.man.in
index 9697a2caf..214c60482 100644
--- a/sudoers.man.in
+++ b/sudoers.man.in
@@ -2,12 +2,8 @@
 ''' $RCSfile$$Revision$$Date$
 '''
 ''' $Log$
-''' Revision 1.2  2000/03/23 00:35:59  millert
-''' Add FreeBSD login.conf support (untested on BSD/OS) based on a patch from
-''' Michael D. Marchionna.
-''' configure now does substitution on the man pages, allowing us to
-''' fix up the paths and set the section correctly.  Based on an idea
-''' from Michael D. Marchionna.
+''' Revision 1.3  2000/03/23 03:20:57  millert
+''' Document set_logname option and enbolden refs to sudo and visudo.
 '''
 '''
 .de Sh
@@ -388,7 +384,7 @@ some people find it more convenient.  This flag is off by default.
 If set, \fBsudo\fR will ignore \*(L'.\*(R' or \*(L'\*(R' (current dir) in \f(CW$PATH\fR;
 the \f(CW$PATH\fR itself is not modified.  This flag is off by default.
 .Ip "mail_always" 12
-Send mail to the \fImailto\fR user every time a users runs sudo.
+Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
 This flag is off by default.
 .Ip "mail_no_user" 12
 If set, mail will be sent to the \fImailto\fR user if the invoking
@@ -399,7 +395,7 @@ user exists in the \fIsudoers\fR file, but is not allowed to run
 commands on the current host.  This flag is off by default.
 .Ip "mail_no_perms" 12
 If set, mail will be sent to the \fImailto\fR user if the invoking
-user allowed to use sudo but the command they are trying is not
+user allowed to use \fBsudo\fR but the command they are trying is not
 listed in their \fIsudoers\fR file entry.  This flag is off by default.
 .Ip "tty_tickets" 12
 If set, users must authenticate on a per-tty basis.  Normally,
@@ -416,8 +412,8 @@ means of authentication) before they may run commands.  This default
 may be overridden via the \f(CWPASSWD\fR and \f(CWNOPASSWD\fR tags.
 This flag is on by default.
 .Ip "root_sudo" 12
-If set, root is allowed to run sudo too.  Disabling this prevents users
-from \*(L"chaining\*(R" sudo commands to get a root shell by doing something
+If set, root is allowed to run \fBsudo\fR too.  Disabling this prevents users
+from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
 like \f(CW"sudo sudo /bin/sh"\fR.
 This flag is on by default.
 .Ip "log_host" 12
@@ -449,7 +445,7 @@ be confusing.  This flag is off by default.
 Set this flag if you want to put fully qualified hostnames in the
 \fIsudoers\fR file.  Ie: instead of myhost you would use myhost.mydomain.edu.
 You may still use the short form if you wish (and even mix the two).
-Beware that turning on \fIfqdn\fR requires sudo to make \s-1DNS\s0 lookups
+Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
 which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
 if the machine is not plugged into the network).  Also note that
 you must use the host's official name as \s-1DNS\s0 knows it.  That is,
@@ -459,40 +455,46 @@ issues and the fact that there is no way to get all aliases from
 command) is already fully qualified you shouldn't need to set
 \fIfqfn\fR.  This flag is off by default.
 .Ip "insults" 12
-If set, sudo will insult users when they enter an incorrect
+If set, \fBsudo\fR will insult users when they enter an incorrect
 password.  This flag is off by default.
 .Ip "requiretty" 12
-If set, sudo will only run when the user is logged in to a real
+If set, \fBsudo\fR will only run when the user is logged in to a real
 tty.  This will disallow things like \f(CW"rsh somehost sudo ls"\fR since
 \fIrsh\fR\|(1) does not allocate a tty.  Because it is not possible to turn
 of echo when there is no tty present, some sites may with to set
 this flag to prevent a user from entering a visible password.  This
 flag is off by default.
 .Ip "env_editor" 12
-If set, visudo will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 environment
+If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 environment
 falling back on the default editor.  Note that this may create a
 security hole as most editors allow a user to get a shell (which
 would be a root shell and not be logged).
 .Ip "rootpw" 12
-If set, sudo will prompt for the root password instead of the password
+If set, \fBsudo\fR will prompt for the root password instead of the password
 of the invoking user.
 .Ip "runaspw" 12
-If set, sudo will prompt for the password of the user defined by the
+If set, \fBsudo\fR will prompt for the password of the user defined by the
 \fIrunas_default\fR option (defaults to root) instead of the password
 of the invoking user.
 .Ip "targetpw" 12
-If set, sudo will prompt for the password of the user specified by
+If set, \fBsudo\fR will prompt for the password of the user specified by
 the \f(CW-u\fR flag (defaults to root) instead of the password of the
 invoking user.
+.Ip "set_logname" 12
+Normally, \fBsudo\fR will set the \f(CWLOGNAME\fR and \f(CWUSER\fR environment variables
+to the name of the target user (usually root unless the \f(CW-u\fR flag is given).
+However, since some programs (including the \s-1RCS\s0 revision control system)
+use \f(CWLOGNAME\fR to determine the real identity of the user, it may be desirable
+to change this behavior.  This can be done by negating the set_logname option.
 .Ip "use_loginclass" 12
-If set, sudo will apply the defaults specified for the target user's
-login class if one exists.  Only available if sudo is configured with
+If set, \fBsudo\fR will apply the defaults specified for the target user's
+login class if one exists.  Only available if \fBsudo\fR is configured with
 the --with-logincap option.
 .PP
 \fBIntegers\fR:
 .Ip "passwd_tries" 12
 The number of tries a user gets to enter his/her password before
-sudo logs the failure and exits.  The default is 3.
+\fBsudo\fR logs the failure and exits.  The default is 3.
 .PP
 \fBIntegers that can be used in a boolean context\fR:
 .Ip "loglinelen" 12
@@ -504,7 +506,7 @@ effect on the syslog log file, only the file log.  The default is
 Number of minutes that can elapse before \fBsudo\fR will ask for a passwd
 again.  The default is 5, set this to 0 to always prompt for a password.
 .Ip "passwd_timeout" 12
-Number of minutes before the sudo password prompt times out.
+Number of minutes before the \fBsudo\fR password prompt times out.
 The default is 5, set this to 0 for no password timeout.
 .Ip "umask" 12
 Umask to use when running the root command.  Set this to 0777 to
@@ -536,12 +538,12 @@ Defaults to \*(L"notice\*(R".
 Syslog priority to use when user authenticates unsuccessfully.
 Defaults to \*(L"alert\*(R".
 .Ip "editor" 12
-Path to the editor to be used by visudo.  The default is the path
+Path to the editor to be used by \fBvisudo\fR.  The default is the path
 to vi on your system.
 .PP
 \fBStrings that can be used in a boolean context\fR:
 .Ip "logfile" 12
-Path to the sudo log file (not the syslog log file).  Setting a path
+Path to the \fBsudo\fR log file (not the syslog log file).  Setting a path
 turns on logging to a file, negating this option turns it off.
 .Ip "syslog" 12
 Syslog facility if syslog is being used for logging (negate to
@@ -558,12 +560,12 @@ Users in this group are exempt from password and \s-1PATH\s0 requirements.
 This is not set by default.
 .Ip "secure_path" 12
 Path used for every command run from \fBsudo\fR.  If you don't trust the
-people running sudo to have a sane \f(CWPATH\fR environment variable you may
+people running \fBsudo\fR to have a sane \f(CWPATH\fR environment variable you may
 want to use this.  Another use is if you want to have the \*(L"root path\*(R"
 be separate from the \*(L"user path.\*(R"  This is not set by default.
 .Ip "verifypw" 12
 This option controls when a password will be required when a
-user runs sudo with the \fB\-v\fR.  It has the following possible values:
+user runs \fBsudo\fR with the \fB\-v\fR.  It has the following possible values:
 .Sp
 .Vb 3
 \&    all         All the user's I<sudoers> entries for the
@@ -587,7 +589,7 @@ user runs sudo with the \fB\-v\fR.  It has the following possible values:
 The default value is `all\*(R'.
 .Ip "listpw" 12
 This option controls when a password will be required when a
-user runs sudo with the \fB\-l\fR.  It has the following possible values:
+user runs \fBsudo\fR with the \fB\-l\fR.  It has the following possible values:
 .Sp
 .Vb 3
 \&    all         All the user's I<sudoers> entries for the
@@ -610,7 +612,7 @@ user runs sudo with the \fB\-l\fR.  It has the following possible values:
 .Ve
 The default value is `any\*(R'.
 .PP
-When logging via \fIsyslog\fR\|(3), sudo accepts the following values for the syslog
+When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values for the syslog
 facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0
 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR,
 \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.  The following
@@ -793,7 +795,7 @@ these are a bit contrived.  First, we define our \fIaliases\fR:
 \& Cmnd_Alias     SU = /usr/bin/su
 .Ve
 Here we override some of the compiled in default values.  We want
-sudo to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases.
+\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases.
 We don't want to subject the full time staff to the \fBsudo\fR lecture,
 and user \fBmillert\fR need not give a password.  In addition, on the
 machines in the \fISERVERS\fR \f(CWHost_Alias\fR, we keep an additional
@@ -1037,6 +1039,8 @@ as returned by the \f(CWhostname\fR command or use the \fIfqdn\fR option in
 
 .IX Item "targetpw"
 
+.IX Item "set_logname"
+
 .IX Item "use_loginclass"
 
 .IX Item "passwd_tries"
diff --git a/sudoers.pod b/sudoers.pod
index c0b0f4b2a..dba8dd56e 100644
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -235,7 +235,7 @@ the C<$PATH> itself is not modified.  This flag is off by default.
 
 =item mail_always
 
-Send mail to the I<mailto> user every time a users runs sudo.
+Send mail to the I<mailto> user every time a users runs B<sudo>.
 This flag is off by default.
 
 =item mail_no_user
@@ -252,7 +252,7 @@ commands on the current host.  This flag is off by default.
 =item mail_no_perms
 
 If set, mail will be sent to the I<mailto> user if the invoking
-user allowed to use sudo but the command they are trying is not
+user allowed to use B<sudo> but the command they are trying is not
 listed in their I<sudoers> file entry.  This flag is off by default.
 
 =item tty_tickets
@@ -277,8 +277,8 @@ This flag is on by default.
 
 =item root_sudo
 
-If set, root is allowed to run sudo too.  Disabling this prevents users
-from "chaining" sudo commands to get a root shell by doing something
+If set, root is allowed to run B<sudo> too.  Disabling this prevents users
+from "chaining" B<sudo> commands to get a root shell by doing something
 like C<"sudo sudo /bin/sh">.
 This flag is on by default.
 
@@ -322,7 +322,7 @@ be confusing.  This flag is off by default.
 Set this flag if you want to put fully qualified hostnames in the
 I<sudoers> file.  Ie: instead of myhost you would use myhost.mydomain.edu.
 You may still use the short form if you wish (and even mix the two).
-Beware that turning on I<fqdn> requires sudo to make DNS lookups
+Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
 which may make B<sudo> unusable if DNS stops working (for example
 if the machine is not plugged into the network).  Also note that
 you must use the host's official name as DNS knows it.  That is,
@@ -334,12 +334,12 @@ I<fqfn>.  This flag is off by default.
 
 =item insults
 
-If set, sudo will insult users when they enter an incorrect
+If set, B<sudo> will insult users when they enter an incorrect
 password.  This flag is off by default.
 
 =item requiretty
 
-If set, sudo will only run when the user is logged in to a real
+If set, B<sudo> will only run when the user is logged in to a real
 tty.  This will disallow things like C<"rsh somehost sudo ls"> since
 rsh(1) does not allocate a tty.  Because it is not possible to turn
 of echo when there is no tty present, some sites may with to set
@@ -348,32 +348,40 @@ flag is off by default.
 
 =item env_editor
 
-If set, visudo will use the value of the EDITOR or VISUAL environment
+If set, B<visudo> will use the value of the EDITOR or VISUAL environment
 falling back on the default editor.  Note that this may create a
 security hole as most editors allow a user to get a shell (which
 would be a root shell and not be logged).
 
 =item rootpw
 
-If set, sudo will prompt for the root password instead of the password
+If set, B<sudo> will prompt for the root password instead of the password
 of the invoking user.
 
 =item runaspw
 
-If set, sudo will prompt for the password of the user defined by the
+If set, B<sudo> will prompt for the password of the user defined by the
 I<runas_default> option (defaults to root) instead of the password
 of the invoking user.
 
 =item targetpw
 
-If set, sudo will prompt for the password of the user specified by
+If set, B<sudo> will prompt for the password of the user specified by
 the C<-u> flag (defaults to root) instead of the password of the
 invoking user.
 
+=item set_logname
+
+Normally, B<sudo> will set the C<LOGNAME> and C<USER> environment variables
+to the name of the target user (usually root unless the C<-u> flag is given).
+However, since some programs (including the RCS revision control system)
+use C<LOGNAME> to determine the real identity of the user, it may be desirable
+to change this behavior.  This can be done by negating the set_logname option.
+
 =item use_loginclass
 
-If set, sudo will apply the defaults specified for the target user's
-login class if one exists.  Only available if sudo is configured with
+If set, B<sudo> will apply the defaults specified for the target user's
+login class if one exists.  Only available if B<sudo> is configured with
 the --with-logincap option.
 
 =back
@@ -385,7 +393,7 @@ B<Integers>:
 =item passwd_tries
 
 The number of tries a user gets to enter his/her password before
-sudo logs the failure and exits.  The default is 3.
+B<sudo> logs the failure and exits.  The default is 3.
 
 =back
 
@@ -407,7 +415,7 @@ again.  The default is 5, set this to 0 to always prompt for a password.
 
 =item passwd_timeout
 
-Number of minutes before the sudo password prompt times out.
+Number of minutes before the B<sudo> password prompt times out.
 The default is 5, set this to 0 for no password timeout.
 
 =item umask
@@ -461,7 +469,7 @@ Defaults to "alert".
 
 =item editor
 
-Path to the editor to be used by visudo.  The default is the path
+Path to the editor to be used by B<visudo>.  The default is the path
 to vi on your system.
 
 =back 12
@@ -472,7 +480,7 @@ B<Strings that can be used in a boolean context>:
 
 =item logfile
 
-Path to the sudo log file (not the syslog log file).  Setting a path
+Path to the B<sudo> log file (not the syslog log file).  Setting a path
 turns on logging to a file, negating this option turns it off.
 
 =item syslog
@@ -501,14 +509,14 @@ This is not set by default.
 =item secure_path
 
 Path used for every command run from B<sudo>.  If you don't trust the
-people running sudo to have a sane C<PATH> environment variable you may
+people running B<sudo> to have a sane C<PATH> environment variable you may
 want to use this.  Another use is if you want to have the "root path"
 be separate from the "user path."  This is not set by default.
 
 =item verifypw
 
 This option controls when a password will be required when a
-user runs sudo with the B<-v>.  It has the following possible values:
+user runs B<sudo> with the B<-v>.  It has the following possible values:
 
     all		All the user's I<sudoers> entries for the
 		current host must have the C<NOPASSWD>
@@ -530,7 +538,7 @@ The default value is `all'.
 =item listpw
 
 This option controls when a password will be required when a
-user runs sudo with the B<-l>.  It has the following possible values:
+user runs B<sudo> with the B<-l>.  It has the following possible values:
 
     all		All the user's I<sudoers> entries for the
 		current host must have the C<NOPASSWD>
@@ -551,7 +559,7 @@ The default value is `any'.
 
 =back 12
 
-When logging via syslog(3), sudo accepts the following values for the syslog
+When logging via syslog(3), B<sudo> accepts the following values for the syslog
 facility (the value of the B<syslog> Parameter): B<authpriv> (if your OS
 supports it), B<auth>, B<daemon>, B<user>, B<local0>, B<local1>, B<local2>,
 B<local3>, B<local4>, B<local5>, B<local6>, and B<local7>.  The following
@@ -753,7 +761,7 @@ these are a bit contrived.  First, we define our I<aliases>:
  Cmnd_Alias	SU = /usr/bin/su
 
 Here we override some of the compiled in default values.  We want
-sudo to log via syslog(3) using the I<auth> facility in all cases.
+B<sudo> to log via syslog(3) using the I<auth> facility in all cases.
 We don't want to subject the full time staff to the B<sudo> lecture,
 and user B<millert> need not give a password.  In addition, on the
 machines in the I<SERVERS> C<Host_Alias>, we keep an additional