From 3a3c4bc49351641c9bf4fbd67497d782da53a361 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Wed, 14 Jul 2010 08:56:06 -0400
Subject: [PATCH] Substitute the value of EDITOR into the sudoers and visudo
 manuals.

--HG--
branch : 1.7
---
 aclocal.m4     |  32 ++++++-------
 configure      |  92 ++++++++++++++-----------------------
 configure.in   |   9 ++--
 sudoers.cat    | 122 ++++++++++++++++++++++++-------------------------
 sudoers.man.in |  13 ++++--
 sudoers.pod    |  11 +++--
 visudo.cat     |  34 +++++++-------
 visudo.man.in  |  11 ++---
 visudo.pod     |   9 ++--
 9 files changed, 158 insertions(+), 175 deletions(-)

diff --git a/aclocal.m4 b/aclocal.m4
index 75381e1b9..6901da05f 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -35,25 +35,19 @@ fi
 ])dnl
 
 dnl
-dnl check for vi
-dnl
-AC_DEFUN(SUDO_PROG_VI, [AC_MSG_CHECKING(for vi)
-if test -f "/usr/bin/vi"; then
-    AC_MSG_RESULT(/usr/bin/vi)
-    SUDO_DEFINE(_PATH_VI, "/usr/bin/vi")
-elif test -f "/usr/ucb/vi"; then
-    AC_MSG_RESULT(/usr/ucb/vi)
-    SUDO_DEFINE(_PATH_VI, "/usr/ucb/vi")
-elif test -f "/usr/bsd/vi"; then
-    AC_MSG_RESULT(/usr/bsd/vi)
-    SUDO_DEFINE(_PATH_VI, "/usr/bsd/vi")
-elif test -f "/bin/vi"; then
-    AC_MSG_RESULT(/bin/vi)
-    SUDO_DEFINE(_PATH_VI, "/bin/vi")
-elif test -f "/usr/local/bin/vi"; then
-    AC_MSG_RESULT(/usr/local/bin/vi)
-    SUDO_DEFINE(_PATH_VI, "/usr/local/bin/vi")
-else
+dnl check for vi in well-known locations
+dnl
+AC_DEFUN(SUDO_PROG_VI, [AC_MSG_CHECKING([for vi])
+found=no
+for editor in "/usr/bin/vi" "/bin/vi" "/usr/ucb/vi" "/usr/bsd/vi" "/usr/local/bin/vi"; do
+    if test -f "$editor"; then
+	found=yes
+	AC_MSG_RESULT([$editor])
+	SUDO_DEFINE_UNQUOTED(_PATH_VI, "$editor")
+	break
+    fi
+done
+if test X"$found" != X"no"; then
     AC_MSG_RESULT(not found)
 fi
 ])dnl
diff --git a/configure b/configure
index 34afc03ca..83043f8ab 100755
--- a/configure
+++ b/configure
@@ -784,6 +784,7 @@ OBJEXT
 EXEEXT
 ac_ct_CC
 CC
+editor
 secure_path
 netsvc_conf
 nsswitch_conf
@@ -2768,6 +2769,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
 
 
 
+
 
 
 #
@@ -4670,6 +4672,7 @@ _ACEOF
 
 		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_editor" >&5
 $as_echo "$with_editor" >&6; }
+		editor="$with_editor"
 		;;
 esac
 else
@@ -5070,10 +5073,9 @@ if test "${with_askpass+set}" = set; then :
     yes)	as_fn_error "\"--with-askpass takes a path as an argument.\"" "$LINENO" 5
 		;;
     no)		;;
-    *)
-cat >>confdefs.h <<_ACEOF
+    *)		cat >>confdefs.h <<EOF
 #define _PATH_SUDO_ASKPASS "$with_askpass"
-_ACEOF
+EOF
 
 		;;
 esac
@@ -6625,13 +6627,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6628: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:6630: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6631: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:6633: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6634: output\"" >&5)
+  (eval echo "\"\$as_me:6636: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -7836,7 +7838,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 7839 "configure"' > conftest.$ac_ext
+  echo '#line 7841 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9229,11 +9231,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9232: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9234: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9236: \$? = $ac_status" >&5
+   echo "$as_me:9238: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9568,11 +9570,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9571: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9573: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9575: \$? = $ac_status" >&5
+   echo "$as_me:9577: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9673,11 +9675,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9676: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9678: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9680: \$? = $ac_status" >&5
+   echo "$as_me:9682: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9728,11 +9730,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9731: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9733: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9735: \$? = $ac_status" >&5
+   echo "$as_me:9737: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12095,7 +12097,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12098 "configure"
+#line 12100 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12191,7 +12193,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12194 "configure"
+#line 12196 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13614,42 +13616,20 @@ fi
 if test -z "$with_editor"; then
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for vi" >&5
 $as_echo_n "checking for vi... " >&6; }
-if test -f "/usr/bin/vi"; then
-    { $as_echo "$as_me:${as_lineno-$LINENO}: result: /usr/bin/vi" >&5
-$as_echo "/usr/bin/vi" >&6; }
-    cat >>confdefs.h <<\EOF
-#define _PATH_VI "/usr/bin/vi"
-EOF
-
-elif test -f "/usr/ucb/vi"; then
-    { $as_echo "$as_me:${as_lineno-$LINENO}: result: /usr/ucb/vi" >&5
-$as_echo "/usr/ucb/vi" >&6; }
-    cat >>confdefs.h <<\EOF
-#define _PATH_VI "/usr/ucb/vi"
-EOF
-
-elif test -f "/usr/bsd/vi"; then
-    { $as_echo "$as_me:${as_lineno-$LINENO}: result: /usr/bsd/vi" >&5
-$as_echo "/usr/bsd/vi" >&6; }
-    cat >>confdefs.h <<\EOF
-#define _PATH_VI "/usr/bsd/vi"
-EOF
-
-elif test -f "/bin/vi"; then
-    { $as_echo "$as_me:${as_lineno-$LINENO}: result: /bin/vi" >&5
-$as_echo "/bin/vi" >&6; }
-    cat >>confdefs.h <<\EOF
-#define _PATH_VI "/bin/vi"
-EOF
-
-elif test -f "/usr/local/bin/vi"; then
-    { $as_echo "$as_me:${as_lineno-$LINENO}: result: /usr/local/bin/vi" >&5
-$as_echo "/usr/local/bin/vi" >&6; }
-    cat >>confdefs.h <<\EOF
-#define _PATH_VI "/usr/local/bin/vi"
+found=no
+for editor in "/usr/bin/vi" "/bin/vi" "/usr/ucb/vi" "/usr/bsd/vi" "/usr/local/bin/vi"; do
+    if test -f "$editor"; then
+	found=yes
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $editor" >&5
+$as_echo "$editor" >&6; }
+	cat >>confdefs.h <<EOF
+#define _PATH_VI "$editor"
 EOF
 
-else
+	break
+    fi
+done
+if test X"$found" != X"no"; then
     { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
 $as_echo "not found" >&6; }
 fi
@@ -18290,18 +18270,16 @@ if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then
 	INSTALL_NOEXEC="install-noexec"
 
 	eval noexec_file="$with_noexec"
-
-cat >>confdefs.h <<_ACEOF
+	cat >>confdefs.h <<EOF
 #define _PATH_SUDO_NOEXEC "$noexec_file"
-_ACEOF
+EOF
 
     fi
     if test X"$with_selinux" != X"no"; then
 	eval sesh_file="$libexecdir/sesh"
-
-cat >>confdefs.h <<_ACEOF
+	cat >>confdefs.h <<EOF
 #define _PATH_SUDO_SESH "$sesh_file"
-_ACEOF
+EOF
 
     fi
     exec_prefix="$oexec_prefix"
diff --git a/configure.in b/configure.in
index 98ed5c901..2307d4856 100644
--- a/configure.in
+++ b/configure.in
@@ -88,6 +88,7 @@ AC_SUBST([ldap_secret])
 AC_SUBST([nsswitch_conf])
 AC_SUBST([netsvc_conf])
 AC_SUBST([secure_path])
+AC_SUBST([editor])
 #
 # Begin initial values for man page substitution
 #
@@ -112,6 +113,7 @@ badpass_message="Sorry, try again."
 fqdn=off
 runas_default=root
 env_editor=off
+editor=vi
 passwd_tries=3
 tty_tickets=off
 insults=off
@@ -835,6 +837,7 @@ AC_ARG_WITH(editor, [AS_HELP_STRING([--with-editor=path], [Default editor for vi
 		;;
     *)		AC_DEFINE_UNQUOTED(EDITOR, "$with_editor", [A colon-separated list of pathnames to be used as the editor for visudo.])
 		AC_MSG_RESULT([$with_editor])
+		editor="$with_editor"
 		;;
 esac], [AC_DEFINE(EDITOR, _PATH_VI) AC_MSG_RESULT(vi)])
 
@@ -1076,7 +1079,7 @@ AC_ARG_WITH(askpass, [AS_HELP_STRING([--with-askpass=PATH], [Fully qualified pat
     yes)	AC_MSG_ERROR(["--with-askpass takes a path as an argument."])
 		;;
     no)		;;
-    *)		AC_DEFINE_UNQUOTED(_PATH_SUDO_ASKPASS, "$with_askpass", [The fully qualified pathname of askpass])
+    *)		SUDO_DEFINE_UNQUOTED(_PATH_SUDO_ASKPASS, "$with_askpass", [The fully qualified pathname of askpass])
 		;;
 esac], AC_MSG_RESULT(no))
 
@@ -2773,11 +2776,11 @@ if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then
 	INSTALL_NOEXEC="install-noexec"
 
 	eval noexec_file="$with_noexec"
-	AC_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
+	SUDO_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
     fi
     if test X"$with_selinux" != X"no"; then
 	eval sesh_file="$libexecdir/sesh"
-	AC_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file", [The fully qualified pathname of sesh])
+	SUDO_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file", [The fully qualified pathname of sesh])
     fi
     exec_prefix="$oexec_prefix"
 fi
diff --git a/sudoers.cat b/sudoers.cat
index b10aced47..526f907ee 100644
--- a/sudoers.cat
+++ b/sudoers.cat
@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
 
 
 
-1.7.4                     July 12, 2010                         1
+1.7.4                     July 14, 2010                         1
 
 
 
@@ -127,7 +127,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                         2
+1.7.4                     July 14, 2010                         2
 
 
 
@@ -193,7 +193,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                         3
+1.7.4                     July 14, 2010                         3
 
 
 
@@ -259,7 +259,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                         4
+1.7.4                     July 14, 2010                         4
 
 
 
@@ -325,7 +325,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                         5
+1.7.4                     July 14, 2010                         5
 
 
 
@@ -391,7 +391,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                         6
+1.7.4                     July 14, 2010                         6
 
 
 
@@ -457,7 +457,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                         7
+1.7.4                     July 14, 2010                         7
 
 
 
@@ -523,7 +523,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                         8
+1.7.4                     July 14, 2010                         8
 
 
 
@@ -589,7 +589,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
 
 
 
-1.7.4                     July 12, 2010                         9
+1.7.4                     July 14, 2010                         9
 
 
 
@@ -655,7 +655,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                        10
+1.7.4                     July 14, 2010                        10
 
 
 
@@ -721,7 +721,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                        11
+1.7.4                     July 14, 2010                        11
 
 
 
@@ -787,7 +787,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                        12
+1.7.4                     July 14, 2010                        12
 
 
 
@@ -853,7 +853,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                        13
+1.7.4                     July 14, 2010                        13
 
 
 
@@ -919,7 +919,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                        14
+1.7.4                     July 14, 2010                        14
 
 
 
@@ -985,7 +985,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                        15
+1.7.4                     July 14, 2010                        15
 
 
 
@@ -1035,8 +1035,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                        used with vviissuuddoo.  vviissuuddoo will choose the editor that
                        matches the user's EDITOR environment variable if
                        possible, or the first editor in the list that exists
-                       and is executable.  The default is the path to vi on
-                       your system.
+                       and is executable.  The default is "vi".
 
        mailsub         Subject of the mail sent to the _m_a_i_l_t_o user. The escape
                        %h will expand to the host name of the machine.
@@ -1051,7 +1050,8 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                        16
+
+1.7.4                     July 14, 2010                        16
 
 
 
@@ -1117,7 +1117,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                        17
+1.7.4                     July 14, 2010                        17
 
 
 
@@ -1183,7 +1183,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                        18
+1.7.4                     July 14, 2010                        18
 
 
 
@@ -1249,7 +1249,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                        19
+1.7.4                     July 14, 2010                        19
 
 
 
@@ -1315,7 +1315,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.7.4                     July 12, 2010                        20
+1.7.4                     July 14, 2010                        20
 
 
 
@@ -1341,7 +1341,13 @@ FFIILLEESS
 
 EEXXAAMMPPLLEESS
        Below are example _s_u_d_o_e_r_s entries.  Admittedly, some of these are a bit
-       contrived.  First, we define our _a_l_i_a_s_e_s:
+       contrived.  First, we allow a few environment variables to pass and
+       then define our _a_l_i_a_s_e_s:
+
+        # Run X applications through sudo; HOME is used to find .Xauthority file
+        # Note that some programs may use HOME for other purposes too and
+        # this may lead to privilege escalation!
+        Defaults env_keep = "DISPLAY HOME"
 
         # User alias specification
         User_Alias     FULLTIMERS = millert, mikef, dowdy
@@ -1372,16 +1378,10 @@ EEXXAAMMPPLLEESS
         Cmnd_Alias     HALT = /usr/sbin/halt
         Cmnd_Alias     REBOOT = /usr/sbin/reboot
         Cmnd_Alias     SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
-                                /usr/local/bin/tcsh, /usr/bin/rsh, \
-                                /usr/local/bin/zsh
-        Cmnd_Alias     SU = /usr/bin/su
-        Cmnd_Alias     PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
-
-       Here we override some of the compiled in default values.  We want ssuuddoo
 
 
 
-1.7.4                     July 12, 2010                        21
+1.7.4                     July 14, 2010                        21
 
 
 
@@ -1390,6 +1390,12 @@ EEXXAAMMPPLLEESS
 SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
+                                /usr/local/bin/tcsh, /usr/bin/rsh, \
+                                /usr/local/bin/zsh
+        Cmnd_Alias     SU = /usr/bin/su
+        Cmnd_Alias     PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+
+       Here we override some of the compiled in default values.  We want ssuuddoo
        to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases.  We don't
        want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt
        need not give a password, and we don't want to reset the LOGNAME, USER
@@ -1438,23 +1444,23 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
         lisa           CUNETS = ALL
 
-       The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the
-       class B network 128.138.0.0).
 
-        operator       ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
-                       sudoedit /etc/printcap, /usr/oper/bin/
 
 
+1.7.4                     July 14, 2010                        22
 
 
-1.7.4                     July 12, 2010                        22
 
 
 
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+       The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the
+       class B network 128.138.0.0).
 
+        operator       ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
+                       sudoedit /etc/printcap, /usr/oper/bin/
 
        The ooppeerraattoorr user may run commands limited to simple maintenance.
        Here, those are commands related to backups, killing processes, the
@@ -1504,24 +1510,24 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
         jen            ALL, !SERVERS = ALL
 
-       The user jjeenn may run any command on any machine except for those in the
-       _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns).
 
-        jill           SERVERS = /usr/bin/, !SU, !SHELLS
 
-       For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
 
+1.7.4                     July 14, 2010                        23
 
 
-1.7.4                     July 12, 2010                        23
 
 
 
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+       The user jjeenn may run any command on any machine except for those in the
+       _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns).
 
+        jill           SERVERS = /usr/bin/, !SU, !SHELLS
 
+       For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
        the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U
        and _S_H_E_L_L_S Cmnd_Aliases.
 
@@ -1570,24 +1576,24 @@ SSEECCUURRIITTYY NNOOTTEESS
        an inconvenience for rules that grant privileges, it can result in a
        security issue for rules that subtract or revoke privileges.
 
-       For example, given the following _s_u_d_o_e_r_s entry:
 
-        john   ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
-             /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
 
-       User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
 
+1.7.4                     July 14, 2010                        24
 
 
-1.7.4                     July 12, 2010                        24
 
 
 
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+       For example, given the following _s_u_d_o_e_r_s entry:
 
+        john   ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+             /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
 
+       User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
        changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
 
 PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
@@ -1636,23 +1642,23 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
                  systems that support the LD_PRELOAD environment variable.
                  Check your operating system's manual pages for the dynamic
                  linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
-                 to see if LD_PRELOAD is supported.
 
-                 To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as
-                 documented in the User Specification section above.  Here is
-                 that example again:
 
 
+1.7.4                     July 14, 2010                        25
 
 
-1.7.4                     July 12, 2010                        25
 
 
 
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+                 to see if LD_PRELOAD is supported.
 
+                 To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as
+                 documented in the User Specification section above.  Here is
+                 that example again:
 
                   aaron  shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
 
@@ -1705,12 +1711,6 @@ DDIISSCCLLAAIIMMEERR
 
 
 
-
-
-
-
-
-
-1.7.4                     July 12, 2010                        26
+1.7.4                     July 14, 2010                        26
 
 
diff --git a/sudoers.man.in b/sudoers.man.in
index 1bdfb7e6b..98e361eca 100644
--- a/sudoers.man.in
+++ b/sudoers.man.in
@@ -148,7 +148,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "July 12, 2010" "1.7.4" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "July 14, 2010" "1.7.4" "MAINTENANCE COMMANDS"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -1091,8 +1091,7 @@ The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled.
 A colon (':') separated list of editors allowed to be used with
 \&\fBvisudo\fR.  \fBvisudo\fR will choose the editor that matches the user's
 \&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
-list that exists and is executable.  The default is the path to vi
-on your system.
+list that exists and is executable.  The default is \f(CW"@editor@"\fR.
 .IP "mailsub" 16
 .IX Item "mailsub"
 Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
@@ -1388,9 +1387,15 @@ I/O log files
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Below are example \fIsudoers\fR entries.  Admittedly, some of
-these are a bit contrived.  First, we define our \fIaliases\fR:
+these are a bit contrived.  First, we allow a few environment
+variables to pass and then define our \fIaliases\fR:
 .PP
 .Vb 4
+\& # Run X applications through sudo; HOME is used to find .Xauthority file
+\& # Note that some programs may use HOME for other purposes too and
+\& # this may lead to privilege escalation!
+\& Defaults env_keep = "DISPLAY HOME"
+\&
 \& # User alias specification
 \& User_Alias     FULLTIMERS = millert, mikef, dowdy
 \& User_Alias     PARTTIMERS = bostley, jwfox, crawl
diff --git a/sudoers.pod b/sudoers.pod
index 109084a71..ba3f527bd 100644
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -1007,8 +1007,7 @@ The default is C<@badpass_message@> unless insults are enabled.
 A colon (':') separated list of editors allowed to be used with
 B<visudo>.  B<visudo> will choose the editor that matches the user's
 EDITOR environment variable if possible, or the first editor in the
-list that exists and is executable.  The default is the path to vi
-on your system.
+list that exists and is executable.  The default is C<"@editor@">.
 
 =item mailsub
 
@@ -1357,7 +1356,13 @@ I/O log files
 =head1 EXAMPLES
 
 Below are example I<sudoers> entries.  Admittedly, some of
-these are a bit contrived.  First, we define our I<aliases>:
+these are a bit contrived.  First, we allow a few environment
+variables to pass and then define our I<aliases>:
+
+ # Run X applications through sudo; HOME is used to find .Xauthority file
+ # Note that some programs may use HOME for other purposes too and
+ # this may lead to privilege escalation!
+ Defaults env_keep = "DISPLAY HOME"
 
  # User alias specification
  User_Alias	FULLTIMERS = millert, mikef, dowdy
diff --git a/visudo.cat b/visudo.cat
index e72311c46..c99374f8f 100644
--- a/visudo.cat
+++ b/visudo.cat
@@ -17,17 +17,16 @@ DDEESSCCRRIIPPTTIIOONN
        _s_u_d_o_e_r_s file is currently being edited you will receive a message to
        try again later.
 
-       There is a hard-coded list of editors that vviissuuddoo will use set at
-       compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s Default
-       variable.  This list defaults to the path to _v_i(1) on your system, as
-       determined by the _c_o_n_f_i_g_u_r_e script.  Normally, vviissuuddoo does not honor
-       the VISUAL or EDITOR environment variables unless they contain an
-       editor in the aforementioned editors list.  However, if vviissuuddoo is
-       configured with the _-_-_w_i_t_h_-_e_n_v_e_d_i_t_o_r option or the _e_n_v___e_d_i_t_o_r Default
-       variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use any the editor defines by
-       VISUAL or EDITOR.  Note that this can be a security hole since it
-       allows the user to execute any program they wish simply by setting
-       VISUAL or EDITOR.
+       There is a hard-coded list of one or more editors that vviissuuddoo will use
+       set at compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s
+       Default variable.  This list defaults to "vi".  Normally, vviissuuddoo does
+       not honor the VISUAL or EDITOR environment variables unless they
+       contain an editor in the aforementioned editors list.  However, if
+       vviissuuddoo is configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option or the
+       _e_n_v___e_d_i_t_o_r Default variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use any the
+       editor defines by VISUAL or EDITOR.  Note that this can be a security
+       hole since it allows the user to execute any program they wish simply
+       by setting VISUAL or EDITOR.
 
        vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the
        changes if there is a syntax error.  Upon finding an error, vviissuuddoo will
@@ -58,10 +57,11 @@ OOPPTTIIOONNSS
                    appended to it.
 
        -q          Enable qquuiieett mode.  In this mode details about syntax
+                   errors are not printed.  This option is only useful when
 
 
 
-1.7.4                     July 12, 2010                         1
+1.7.4                     July 14, 2010                         1
 
 
 
@@ -70,7 +70,6 @@ OOPPTTIIOONNSS
 VISUDO(1m)             MAINTENANCE COMMANDS            VISUDO(1m)
 
 
-                   errors are not printed.  This option is only useful when
                    combined with the --cc option.
 
        -s          Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file.  If an alias is
@@ -124,10 +123,11 @@ SSEEEE AALLSSOO
 
 AAUUTTHHOORR
        Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo
+       was written by:
 
 
 
-1.7.4                     July 12, 2010                         2
+1.7.4                     July 14, 2010                         2
 
 
 
@@ -136,8 +136,6 @@ AAUUTTHHOORR
 VISUDO(1m)             MAINTENANCE COMMANDS            VISUDO(1m)
 
 
-       was written by:
-
         Todd Miller
 
        See the HISTORY file in the sudo distribution or visit
@@ -193,6 +191,8 @@ DDIISSCCLLAAIIMMEERR
 
 
 
-1.7.4                     July 12, 2010                         3
+
+
+1.7.4                     July 14, 2010                         3
 
 
diff --git a/visudo.man.in b/visudo.man.in
index 1423451c4..563fd3bce 100644
--- a/visudo.man.in
+++ b/visudo.man.in
@@ -144,7 +144,7 @@
 .\" ========================================================================
 .\"
 .IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "July 12, 2010" "1.7.4" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "July 14, 2010" "1.7.4" "MAINTENANCE COMMANDS"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -162,13 +162,12 @@ simultaneous edits, provides basic sanity checks, and checks
 for parse errors.  If the \fIsudoers\fR file is currently being
 edited you will receive a message to try again later.
 .PP
-There is a hard-coded list of editors that \fBvisudo\fR will use set
-at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR
-\&\f(CW\*(C`Default\*(C'\fR variable.  This list defaults to the path to \fIvi\fR\|(1) on
-your system, as determined by the \fIconfigure\fR script.  Normally,
+There is a hard-coded list of one or more editors that \fBvisudo\fR will
+use set at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR
+\&\f(CW\*(C`Default\*(C'\fR variable.  This list defaults to \f(CW"@editor@"\fR.  Normally,
 \&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment
 variables unless they contain an editor in the aforementioned editors
-list.  However, if \fBvisudo\fR is configured with the \fI\-\-with\-enveditor\fR
+list.  However, if \fBvisudo\fR is configured with the \fI\-\-with\-env\-editor\fR
 option or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR,
 \&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
 Note that this can be a security hole since it allows the user to
diff --git a/visudo.pod b/visudo.pod
index b68723c86..ccc5c00b2 100644
--- a/visudo.pod
+++ b/visudo.pod
@@ -36,13 +36,12 @@ simultaneous edits, provides basic sanity checks, and checks
 for parse errors.  If the I<sudoers> file is currently being
 edited you will receive a message to try again later.
 
-There is a hard-coded list of editors that B<visudo> will use set
-at compile-time that may be overridden via the I<editor> I<sudoers>
-C<Default> variable.  This list defaults to the path to L<vi(1)> on
-your system, as determined by the I<configure> script.  Normally,
+There is a hard-coded list of one or more editors that B<visudo> will
+use set at compile-time that may be overridden via the I<editor> I<sudoers>
+C<Default> variable.  This list defaults to C<"@editor@">.  Normally,
 B<visudo> does not honor the C<VISUAL> or C<EDITOR> environment
 variables unless they contain an editor in the aforementioned editors
-list.  However, if B<visudo> is configured with the I<--with-enveditor>
+list.  However, if B<visudo> is configured with the I<--with-env-editor>
 option or the I<env_editor> C<Default> variable is set in I<sudoers>,
 B<visudo> will use any the editor defines by C<VISUAL> or C<EDITOR>.
 Note that this can be a security hole since it allows the user to
-- 
2.40.0