From e78283af99d8456208c83f5a5fd4b33cb6f57528 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Wed, 6 Dec 2017 10:17:33 -0700
Subject: [PATCH] Document that in check mode, visudo does not check the
 owner/mode on files specified with the -f flag.

---
 doc/visudo.cat     | 11 ++++++++---
 doc/visudo.man.in  | 17 ++++++++++++++---
 doc/visudo.mdoc.in | 17 ++++++++++++++---
 3 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/doc/visudo.cat b/doc/visudo.cat
index 3f1d76505..aa5c27859 100644
--- a/doc/visudo.cat
+++ b/doc/visudo.cat
@@ -38,8 +38,10 @@ DDEESSCCRRIIPPTTIIOONN
      The options are as follows:
 
      --cc, ----cchheecckk
-                 Enable _c_h_e_c_k_-_o_n_l_y mode.  The existing _s_u_d_o_e_r_s file will be
-                 checked for syntax errors, owner and mode.  A message will be
+                 Enable _c_h_e_c_k_-_o_n_l_y mode.  The existing _s_u_d_o_e_r_s file (and any
+                 other files it includes) will be checked for syntax errors.
+                 If the --ff option has not been specified, vviissuuddoo will also
+                 check the _s_u_d_o_e_r_s file owner and mode.  A message will be
                  printed to the standard output describing the status of
                  _s_u_d_o_e_r_s unless the --qq option was specified.  If the check
                  completes successfully, vviissuuddoo will exit with a value of 0.
@@ -53,6 +55,9 @@ DDEESSCCRRIIPPTTIIOONN
                  used is the specified _s_u_d_o_e_r_s file with ".tmp" appended to
                  it.  In _c_h_e_c_k_-_o_n_l_y mode only, the argument to --ff may be `-',
                  indicating that _s_u_d_o_e_r_s will be read from the standard input.
+                 Because the policy is evaluated in its entirety, it is not
+                 sufficient to check an individual _s_u_d_o_e_r_s include file for
+                 syntax errors.
 
      --hh, ----hheellpp  Display a short help message to the standard output and exit.
 
@@ -212,4 +217,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.22                    February 22, 2017                   Sudo 1.8.22
+Sudo 1.8.22                    December 6, 2017                    Sudo 1.8.22
diff --git a/doc/visudo.man.in b/doc/visudo.man.in
index c878997f9..f70591c9f 100644
--- a/doc/visudo.man.in
+++ b/doc/visudo.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "VISUDO" "8" "February 22, 2017" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "VISUDO" "8" "December 6, 2017" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -130,8 +130,15 @@ Enable
 mode.
 The existing
 \fIsudoers\fR
-file will be
-checked for syntax errors, owner and mode.
+file (and any other files it includes) will be
+checked for syntax errors.
+If the
+\fB\-f\fR
+option has not been specified,
+\fBvisudo\fR
+will also check the
+\fIsudoers\fR
+file owner and mode.
 A message will be printed to the standard output describing the status of
 \fIsudoers\fR
 unless the
@@ -169,6 +176,10 @@ may be
 indicating that
 \fIsudoers\fR
 will be read from the standard input.
+Because the policy is evaluated in its entirety, it is not sufficient
+to check an individual
+\fIsudoers\fR
+include file for syntax errors.
 .TP 12n
 \fB\-h\fR, \fB\--help\fR
 Display a short help message to the standard output and exit.
diff --git a/doc/visudo.mdoc.in b/doc/visudo.mdoc.in
index ae4bd4e46..85d78fd83 100644
--- a/doc/visudo.mdoc.in
+++ b/doc/visudo.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd February 22, 2017
+.Dd December 6, 2017
 .Dt VISUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -127,8 +127,15 @@ Enable
 mode.
 The existing
 .Em sudoers
-file will be
-checked for syntax errors, owner and mode.
+file (and any other files it includes) will be
+checked for syntax errors.
+If the
+.Fl f
+option has not been specified,
+.Nm
+will also check the
+.Em sudoers
+file owner and mode.
 A message will be printed to the standard output describing the status of
 .Em sudoers
 unless the
@@ -165,6 +172,10 @@ may be
 indicating that
 .Em sudoers
 will be read from the standard input.
+Because the policy is evaluated in its entirety, it is not sufficient
+to check an individual
+.Em sudoers
+include file for syntax errors.
 .It Fl h , -help
 Display a short help message to the standard output and exit.
 .It Fl q , -quiet
-- 
2.40.0