Use roff conditionals in the manuals instead of post-processing.

We still need to process the resulting .man.in files to add back the conditionals but this should be easier to debug as the changes are visible in the .in file. Some minor postprocessing is still used to make the manuals HP-UX friendly and to change "0 seconds" -> unlimited after substitution.
2025-08-22 09:57:41 +00:00 · 2018-11-27 08:14:15 -07:00 · 2018-11-27 08:14:15 -07:00 · e010706ede
commit e010706ede
parent 23006c72c7
12 changed files with 307 additions and 344 deletions
--- a/4
+++ b/4
@ -24,7 +24,7 @@ doc/cvtsudoers.cat
 doc/cvtsudoers.man.in
 doc/cvtsudoers.mdoc.in
 doc/fixman.sh
-doc/fixmdoc.sh
+doc/fixmdoc.sed
 doc/schema.ActiveDirectory
 doc/schema.OpenLDAP
 doc/schema.iPlanet
@ -34,6 +34,7 @@ doc/sudo.conf.cat
 doc/sudo.conf.man.in
 doc/sudo.conf.mdoc.in
 doc/sudo.man.in
+doc/sudo.man.in.sed
 doc/sudo.mdoc.in
 doc/sudo_plugin.cat
 doc/sudo_plugin.man.in
@ -43,6 +44,7 @@ doc/sudoers.ldap.cat
 doc/sudoers.ldap.man.in
 doc/sudoers.ldap.mdoc.in
 doc/sudoers.man.in
+doc/sudoers.man.in.sed
 doc/sudoers.mdoc.in
 doc/sudoers_timestamp.cat
 doc/sudoers_timestamp.man.in
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@ -132,25 +132,22 @@ varsub: $(top_srcdir)/configure.ac
 	    $(SED) -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.ac | $(SED) -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \
 	fi

-$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in
+$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in $(srcdir)/sudo.man.in.sed
 	@if [ -n "$(DEVEL)" ]; then \
 	    echo "Generating $@"; \
 	    mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
 	    mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
-	    $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
+	    $(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -f $(srcdir)/sudo.man.in.sed > $@; \
 	fi

-sudo.man.sed: $(srcdir)/fixman.sh
-	BAMAN=@BAMAN@ LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixman.sh $@
+fixman.sed: $(srcdir)/fixman.sh
+	$(SHELL) $(srcdir)/fixman.sh $@

-$(mansrcdir)/sudo.man: $(top_builddir)/config.status $(srcdir)/sudo.man.in sudo.man.sed
-	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.man.in | $(SED) -f $@.sed > $@
+$(mansrcdir)/sudo.man: $(top_builddir)/config.status $(srcdir)/sudo.man.in fixman.sed
+	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.man.in | $(SED) -f fixman.sed > $@

-sudo.mdoc.sed: $(srcdir)/fixmdoc.sh
-	BAMAN=@BAMAN@ LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixmdoc.sh $@
-
-$(mansrcdir)/sudo.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.mdoc.in sudo.mdoc.sed
-	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.mdoc.in | $(SED) -f $@.sed > $@
+$(mansrcdir)/sudo.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.mdoc.in
+	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@

 $(srcdir)/sudo.cat: varsub $(srcdir)/sudo.mdoc.in
 	@if [ -n "$(DEVEL)" ]; then \
@ -166,8 +163,8 @@ $(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in
 	    $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
 	fi

-$(mansrcdir)/visudo.man: $(top_builddir)/config.status $(srcdir)/visudo.man.in
-	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
+$(mansrcdir)/visudo.man: $(top_builddir)/config.status $(srcdir)/visudo.man.in fixman.sed
+	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/visudo.man.in | $(SED) -f fixman.sed > $@

 $(mansrcdir)/visudo.mdoc: $(top_builddir)/config.status $(srcdir)/visudo.mdoc.in
 	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
@ -186,8 +183,8 @@ $(srcdir)/sudo.conf.man.in: $(srcdir)/sudo.conf.mdoc.in
 	    $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
 	fi

-$(mansrcdir)/sudo.conf.man: $(top_builddir)/config.status $(srcdir)/sudo.conf.man.in
-	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
+$(mansrcdir)/sudo.conf.man: $(top_builddir)/config.status $(srcdir)/sudo.conf.man.in fixman.sed
+	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.conf.man.in | $(SED) -f fixman.sed > $@

 $(mansrcdir)/sudo.conf.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.conf.mdoc.in
 	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
@ -198,25 +195,19 @@ $(srcdir)/sudo.conf.cat: varsub $(srcdir)/sudo.conf.mdoc.in
 	    $(SED) -f varsub $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/ OpenBSD \([^ ].*  \)/     \1    /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
 	fi

-$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in
+$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in $(srcdir)/sudoers.man.in.sed
 	@if [ -n "$(DEVEL)" ]; then \
 	    echo "Generating $@"; \
 	    mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
 	    mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
-	    $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
+	    $(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -f $(srcdir)/sudoers.man.in.sed> $@; \
 	fi

-sudoers.man.sed: $(srcdir)/fixman.sh
-	LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixman.sh $@
+$(mansrcdir)/sudoers.man: $(top_builddir)/config.status $(srcdir)/sudoers.man.in fixman.sed
+	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.man.in | $(SED) -f fixman.sed > $@

-$(mansrcdir)/sudoers.man: $(top_builddir)/config.status $(srcdir)/sudoers.man.in sudoers.man.sed
-	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.man.in | $(SED) -f $@.sed > $@
-
-sudoers.mdoc.sed: $(srcdir)/fixmdoc.sh
-	LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixmdoc.sh $@
-
-$(mansrcdir)/sudoers.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.mdoc.in sudoers.mdoc.sed
-	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.mdoc.in | $(SED) -f $@.sed > $@
+$(mansrcdir)/sudoers.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.mdoc.in $(srcdir)/fixmdoc.sed
+	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.mdoc.in | $(SED) -f $(srcdir)/fixmdoc.sed > $@

 $(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.mdoc.in
 	@if [ -n "$(DEVEL)" ]; then \
@ -232,8 +223,8 @@ $(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc.in
 	    $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
 	fi

-$(mansrcdir)/sudoers.ldap.man: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.man.in
-	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
+$(mansrcdir)/sudoers.ldap.man: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.man.in fixman.sed
+	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.ldap.man.in | $(SED) -f fixman.sed > $@

 $(mansrcdir)/sudoers.ldap.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.mdoc.in
 	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
@ -252,8 +243,8 @@ $(srcdir)/sudoers_timestamp.man.in: $(srcdir)/sudoers_timestamp.mdoc.in
 	    $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers_timestamp.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
 	fi

-$(mansrcdir)/sudoers_timestamp.man: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.man.in
-	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
+$(mansrcdir)/sudoers_timestamp.man: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.man.in fixman.sed
+	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers_timestamp.man.in | $(SED) -f fixman.sed > $@

 $(mansrcdir)/sudoers_timestamp.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.mdoc.in
 	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
@ -272,8 +263,8 @@ $(srcdir)/cvtsudoers.man.in: $(srcdir)/cvtsudoers.mdoc.in
 	    $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/cvtsudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
 	fi

-$(mansrcdir)/cvtsudoers.man: $(top_builddir)/config.status $(srcdir)/cvtsudoers.man.in
-	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
+$(mansrcdir)/cvtsudoers.man: $(top_builddir)/config.status $(srcdir)/cvtsudoers.man.in fixman.sed
+	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/cvtsudoers.man.in | $(SED) -f fixman.sed > $@

 $(mansrcdir)/cvtsudoers.mdoc: $(top_builddir)/config.status $(srcdir)/cvtsudoers.mdoc.in
 	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
@ -292,8 +283,8 @@ $(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc.in
 	    $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
 	fi

-$(mansrcdir)/sudoreplay.man: $(top_builddir)/config.status $(srcdir)/sudoreplay.man.in
-	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
+$(mansrcdir)/sudoreplay.man: $(top_builddir)/config.status $(srcdir)/sudoreplay.man.in fixman.sed
+	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoreplay.man.in | $(SED) -f fixman.sed > $@

 $(mansrcdir)/sudoreplay.mdoc: $(top_builddir)/config.status $(srcdir)/sudoreplay.mdoc.in
 	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
@ -312,8 +303,8 @@ $(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc.in
 	    $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_PLUGIN" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
 	fi

-$(mansrcdir)/sudo_plugin.man: $(top_builddir)/config.status $(srcdir)/sudo_plugin.man.in
-	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
+$(mansrcdir)/sudo_plugin.man: $(top_builddir)/config.status $(srcdir)/sudo_plugin.man.in fixman.sed
+	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin.man.in | $(SED) -f fixman.sed > $@

 $(mansrcdir)/sudo_plugin.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin.mdoc.in
 	cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
@ -390,7 +381,7 @@ pvs-studio:
 check:

 clean:
-	-rm -f varsub *.sed
+	-rm -f varsub fixman.sed

 mostlyclean: clean

--- a/doc/fixman.sh
+++ b/doc/fixman.sh
@ -28,130 +28,10 @@ if [ X"`uname 2>&1`" = X"HP-UX" ]; then
 EOF
 fi

-# Page specific hacks
-case "$OUTFILE" in
-    sudo.man.sed)
-	# Replace "0 minutes" with "unlimited"
-	cat >>"$OUTFILE" <<-'EOF'
+# Replace "0 minutes" with "unlimited"
+cat >>"$OUTFILE" <<-'EOF'
 	/^\\fR0\\fR$/ {
 		N
 		s/^\\fR0\\fR\nminutes\.$/unlimited./
 	}
-	EOF
-
-	# BSD auth
-	if [ X"$BAMAN" != X"1" ]; then
-	cat >>"$OUTFILE" <<-'EOF'
-		/^\[\\fB\\-a\\fR\\ \\fItype\\fR/d
-		/^\\fB\\-a\\fR \\fItype\\fR$/,/^\.TP 12n$/ {
-			/^\.PD$/!d
-		}
-	EOF
-	fi
-
-	# BSD login class
-	if [ X"$LCMAN" != X"1" ]; then
-	cat >>"$OUTFILE" <<-'EOF'
-		/^\[\\fB\\-c\\fR\\ \\fIclass\\fR/d
-		/^\\fB\\-c\\fR \\fIclass\\fR$/,/^\.TP 12n$/ {
-			/^\.PD$/!d
-		}
-		/^login_cap(3),$/d
-		/^BSD login class$/ {
-			N
-			N
-			/^BSD login class\n\.TP 4n\n\\fBo\\fR$/d
-		}
-	EOF
-	fi
-
-	# SELinux
-	if [ X"$SEMAN" != X"1" ]; then
-	cat >>"$OUTFILE" <<-'EOF'
-		/^\[\\fB\\-[rt]\\fR\\ \\fI[rt][oy][lp]e\\fR/d
-		/^\\fB\\-[rt]\\fR \\fI[rt][oy][lp]e\\fR$/,/^\.TP 12n$/ {
-			/^\.PD$/!d
-		}
-		/^SELinux role and type$/ {
-			N
-			N
-			/^SELinux role and type\n\.TP 4n\n\\fBo\\fR$/d
-		}
-	EOF
-	fi
-
-	# Solaris privileges
-	if [ X"$PSMAN" != X"1" ]; then
-	cat >>"$OUTFILE" <<-'EOF'
-		/^Solaris project$/ {
-			N
-			N
-			N
-			N
-			N
-			/^Solaris project\n\.TP 4n\n\\fBo\\fR\nSolaris privileges\n\.TP 4n\n\\fBo\\fR$/d
-		}
-	EOF
-	fi
-		;;
-    sudoers.man.sed)
-	# Join tagged list line with the corresponding item and re-process
-	cat >>"$OUTFILE" <<-'EOF'
-		:again
-		/^\.TP 18n$/ {
-			N
-			bagain
-		}
-	EOF
-
-	# Subsections to remove (SELinux and Solaris are adjacent)
-	RM_SS=
-	if [ X"$PSMAN" != X"1" ]; then
-	    if [ X"$SEMAN" != X"1" ]; then
-		RM_SS='/^\.SS "SELinux_Spec"/,/^\.SS "[^S]/{;/^\.SS "[^S][^o][^l]/!d;};'
-	    else
-		RM_SS='/^\.SS "Solaris_Priv_Spec"/,/^\.SS/{;/^\.SS "[^S][^o][^l]/!d;};'
-	    fi
-	elif [ X"$SEMAN" != X"1" ]; then
-		RM_SS='/^\.SS "SELinux_Spec"/,/^\.SS/{;/^\.SS "[^S][^E][^L]/!d;};'
-	fi
-	if [ -n "$RM_SS" ]; then
-		cat >>"$OUTFILE" <<-EOF
-			$RM_SS
-		EOF
-	fi
-
-	# BSD login class
-	if [ X"$LCMAN" != X"1" ]; then
-		cat >>"$OUTFILE" <<-EOF
-			/^On BSD systems/,/\.$/d
-			/^\.TP 18n\nuse_loginclass$/,/^by default\./d
-		EOF
-	fi
-
-	# Solaris PrivSpec
-	if [ X"$PSMAN" != X"1" ]; then
-		cat >>"$OUTFILE" <<-EOF
-			s/Solaris_Priv_Spec | //
-			/^Solaris_Priv_Spec ::=/ {
-				N
-				d
-			}
-			/^\.TP 18n\n\(limit\)*privs$/,/^is built on Solaris 10 or higher\./d
-			/^On Solaris 10/,/^\.[sP][pP]/d
-		EOF
-	fi
-
-	# SELinux
-	if [ X"$SEMAN" != X"1" ]; then
-		cat >>"$OUTFILE" <<-EOF
-			s/SELinux_Spec | //
-			/^SELinux_Spec ::=/ {
-				N
-				d
-			}
-			/^\.TP 18n\n[rt][oy][lp]e$/,/^is built with SELinux support\.$/d
-		EOF
-	fi
-	;;
-esac
+EOF
--- a/doc/fixmdoc.sed
+++ b/doc/fixmdoc.sed
@ -0,0 +1,5 @@
+# Replace "0 minutes" with "unlimited"
+/^\.Li 0$/ {
+	N
+	s/^\.Li 0\nminutes\.$/unlimited./
+}
--- a/doc/fixmdoc.sh
+++ b/doc/fixmdoc.sh
@ -1,143 +0,0 @@
-#!/bin/sh
-#
-# Copyright (c) 2012-2014, 2017 Todd C. Miller <Todd.Miller@sudo.ws>
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-#
-
-OUTFILE="$1"
-rm -f "$OUTFILE"
-> "$OUTFILE"
-
-# Page specific hacks
-case "$OUTFILE" in
-    sudo.mdoc.sed)
-	# Replace "0 minutes" with "unlimited"
-	cat >>"$OUTFILE" <<-'EOF'
-		/^\.Li 0$/ {
-			N
-			s/^\.Li 0\nminutes\.$/unlimited./
-		}
-	EOF
-
-	# BSD auth
-	BA_FLAG=
-	if [ X"$BAMAN" != X"1" ]; then
-		BA_FLAG='/^.*\n\.Op Fl a Ar type/{;N;/^.*\n\.Ek$/d;};'
-		cat >>"$OUTFILE" <<-'EOF'
-			/^\.It Fl a Ar type/,/BSD authentication\.$/d
-		EOF
-	fi
-
-	# BSD login class
-	LC_FLAG=
-	if [ X"$LCMAN" != X"1" ]; then
-		LC_FLAG='/^.*\n\.Op Fl c Ar class/{;N;/^.*\n\.Ek$/d;};'
-		cat >>"$OUTFILE" <<-'EOF'
-			/^\.It Fl c Ar class/,/BSD login classes\.$/d
-			/^\.Xr login_cap 3 ,$/d
-			/^BSD login class$/ {
-				N
-				/^BSD login class\n\.It$/d
-			}
-		EOF
-	fi
-
-	# SELinux
-	SE_FLAG=
-	if [ X"$SEMAN" != X"1" ]; then
-		SE_FLAG='/^.*\n\.Op Fl r Ar role/{;N;/^.*\n\.Ek$/d;};/^.*\n\.Op Fl t Ar type/{;N;/^.*\n\.Ek$/d;};'
-		cat >>"$OUTFILE" <<-'EOF'
-			/^\.It Fl r Ar role/,/^\.Ar role \.$/d
-			/^\.It Fl t Ar type/,/derived from the role\.$/d
-			/^SELinux role and type$/ {
-				N
-				/^SELinux role and type\n\.It$/d
-			}
-		EOF
-	fi
-
-	# Solaris privileges
-	if [ X"$PSMAN" != X"1" ]; then
-		cat >>"$OUTFILE" <<-'EOF'
-			/^Solaris project$/ {
-				N
-				N
-				N
-				/^Solaris project\n\.It\nSolaris privileges\n\.It$/d
-			}
-		EOF
-	fi
-
-	# Unsupported flags must be removed together
-	if [ -n "$BA_FLAG$LC_FLAG$SE_FLAG" ]; then
-		cat >>"$OUTFILE" <<-EOF
-			/^\.Bk -words\$/ {
-			    N
-			    $BA_FLAG$LC_FLAG$SE_FLAG
-			}
-		EOF
-	fi
-	;;
-    sudoers.mdoc.sed)
-	# Subsections to remove (SELinux and Solaris are adjacent)
-	RM_SS=
-	if [ X"$PSMAN" != X"1" ]; then
-	    if [ X"$SEMAN" != X"1" ]; then
-		RM_SS='/^\.Ss SELinux_Spec/,/^\.Ss [^S]/{;/^\.Ss [^S][^o][^l]/!d;};'
-	    else
-		RM_SS='/^\.Ss Solaris_Priv_Spec/,/^\.Ss/{;/^\.Ss [^S][^o][^l]/!d;};'
-	    fi
-	elif [ X"$SEMAN" != X"1" ]; then
-		RM_SS='/^\.Ss SELinux_Spec/,/^\.Ss/{;/^\.Ss [^S][^E][^L]/!d;};'
-	fi
-	if [ -n "$RM_SS" ]; then
-		cat >>"$OUTFILE" <<-EOF
-			$RM_SS
-		EOF
-	fi
-
-	# BSD login class
-	if [ X"$LCMAN" != X"1" ]; then
-		cat >>"$OUTFILE" <<-'EOF'
-			/^On BSD systems/,/\.$/d
-			/^\.It use_loginclass$/,/^by default\./d
-		EOF
-	fi
-
-	# Solaris PrivSpec
-	if [ X"$PSMAN" != X"1" ]; then
-		cat >>"$OUTFILE" <<-'EOF'
-			s/Solaris_Priv_Spec | //
-			/^Solaris_Priv_Spec ::=/ {
-				N
-				d
-			}
-			/^\.It \(limit\)*privs$/,/is built on Solaris 10 or higher\.$/d
-			/^On Solaris 10/,/^\.Pp/d
-		EOF
-	fi
-
-	# SELinux
-	if [ X"$SEMAN" != X"1" ]; then
-		cat >>"$OUTFILE" <<-'EOF'
-			s/SELinux_Spec | //
-			/^SELinux_Spec ::=/ {
-				N
-				d
-			}
-			/^\.It [rt][oy][lp]e$/,/is built with SELinux support\.$/d
-		EOF
-	fi
-	;;
-esac
--- a/doc/sudo.cat
+++ b/doc/sudo.cat
@ -738,4 +738,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or https://www.sudo.ws/license.html for
     complete details.

-Sudo 1.8.26                    October 27, 2018                    Sudo 1.8.26
+Sudo 1.8.26                    November 25, 2018                   Sudo 1.8.26
--- a/doc/sudo.man.in
+++ b/doc/sudo.man.in
@ -19,7 +19,11 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDO" "8" "October 27, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.nr SL @SEMAN@
+.nr BA @BAMAN@
+.nr LC @LCMAN@
+.nr PS @PSMAN@
+.TH "SUDO" "8" "November 25, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@ -36,7 +40,7 @@
 \fBsudo\fR
 \fB\-v\fR
 [\fB\-AknS\fR]
-[\fB\-a\fR\ \fItype\fR]
+.if \n(BA [\fB\-a\fR\ \fItype\fR]
 [\fB\-g\fR\ \fIgroup\fR]
 [\fB\-h\fR\ \fIhost\fR]
 [\fB\-p\fR\ \fIprompt\fR]
@ -46,7 +50,7 @@
 \fBsudo\fR
 \fB\-l\fR
 [\fB\-AknS\fR]
-[\fB\-a\fR\ \fItype\fR]
+.if \n(BA [\fB\-a\fR\ \fItype\fR]
 [\fB\-g\fR\ \fIgroup\fR]
 [\fB\-h\fR\ \fIhost\fR]
 [\fB\-p\fR\ \fIprompt\fR]
@ -57,14 +61,14 @@
 .HP 5n
 \fBsudo\fR
 [\fB\-AbEHnPS\fR]
-[\fB\-a\fR\ \fItype\fR]
+.if \n(BA [\fB\-a\fR\ \fItype\fR]
 [\fB\-C\fR\ \fInum\fR]
-[\fB\-c\fR\ \fIclass\fR]
+.if \n(LC [\fB\-c\fR\ \fIclass\fR]
 [\fB\-g\fR\ \fIgroup\fR]
 [\fB\-h\fR\ \fIhost\fR]
 [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-r\fR\ \fIrole\fR]
-[\fB\-t\fR\ \fItype\fR]
+.if \n(SL [\fB\-r\fR\ \fIrole\fR]
+.if \n(SL [\fB\-t\fR\ \fItype\fR]
 [\fB\-T\fR\ \fItimeout\fR]
 [\fB\-u\fR\ \fIuser\fR]
 [\fIVAR\fR=\fIvalue\fR]
@ -74,9 +78,9 @@
 .HP 9n
 \fBsudoedit\fR
 [\fB\-AknS\fR]
-[\fB\-a\fR\ \fItype\fR]
+.if \n(BA [\fB\-a\fR\ \fItype\fR]
 [\fB\-C\fR\ \fInum\fR]
-[\fB\-c\fR\ \fIclass\fR]
+.if \n(LC [\fB\-c\fR\ \fIclass\fR]
 [\fB\-g\fR\ \fIgroup\fR]
 [\fB\-h\fR\ \fIhost\fR]
 [\fB\-p\fR\ \fIprompt\fR]
@ -188,9 +192,12 @@ If no askpass program is available,
 \fBsudo\fR
 will exit with an error.
 .RE
+.if \n(BA \{\
 .TP 12n
 \fB\-a\fR \fItype\fR, \fB\--auth-type\fR=\fItype\fR
-Use the specified BSD authentication
+Use the specified
+BSD
+authentication
 \fItype\fR
 when validating the user, if allowed by
 \fI/etc/login.conf\fR.
@ -199,7 +206,10 @@ authentication methods by adding an
 \(lqauth-sudo\(rq
 entry in
 \fI/etc/login.conf\fR.
-This option is only available on systems that support BSD authentication.
+This option is only available on systems that support
+BSD
+authentication.
+.\}
 .TP 12n
 \fB\-b\fR, \fB\--background\fR
 Run the given command in the background.
@ -226,6 +236,7 @@ policy only permits use of the
 option when the administrator has enabled the
 \fIclosefrom_override\fR
 option.
+.if \n(LC \{\
 .TP 12n
 \fB\-c\fR \fIclass\fR, \fB\--login-class\fR=\fIclass\fR
 Run the command with resource limits and scheduling priority of
@ -250,7 +261,10 @@ If the command is being run as a login shell, additional
 \fI/etc/login.conf\fR
 settings, such as the umask and environment variables, will
 be applied, if present.
-This option is only available on systems with BSD login classes.
+This option is only available on systems with
+BSD
+login classes.
+.\}
 .TP 12n
 \fB\-E\fR, \fB\--preserve-env\fR
 Indicates to the security policy that the user wishes to
@ -545,11 +559,13 @@ specified by a PAM module unless the
 flag is disabled in
 \fIsudoers\fR.
 .RE
+.if \n(SL \{\
 .TP 12n
 \fB\-r\fR \fIrole\fR, \fB\--role\fR=\fIrole\fR
 Run the command with an SELinux security context that includes
 the specified
 \fIrole\fR.
+.\}
 .TP 12n
 \fB\-S\fR, \fB\--stdin\fR
 Write the prompt to the standard error and read the password from the
@ -568,6 +584,7 @@ If no command is specified, an interactive shell is executed.
 Note that most shells behave differently when a command is specified
 as compared to an interactive session; consult the shell's manual
 for details.
+.if \n(SL \{\
 .TP 12n
 \fB\-t\fR \fItype\fR, \fB\--type\fR=\fItype\fR
 Run the command with an SELinux security context that includes
@ -576,6 +593,7 @@ the specified
 If no
 \fItype\fR
 is specified, the default type is derived from the role.
+.\}
 .TP 12n
 \fB\-U\fR \fIuser\fR, \fB\--other-user\fR=\fIuser\fR
 Used in conjunction with the
@ -711,18 +729,27 @@ current working directory
 .TP 3n
 \fB\(bu\fR
 file creation mode mask (umask)
+.if \n(SL \{\
 .TP 3n
 \fB\(bu\fR
 SELinux role and type
+.\}
+.if \n(PS \{\
 .TP 3n
 \fB\(bu\fR
 Solaris project
+.\}
+.if \n(PS \{\
 .TP 3n
 \fB\(bu\fR
 Solaris privileges
+.\}
+.if \n(LC \{\
 .TP 3n
 \fB\(bu\fR
-BSD login class
+BSD
+login class
+.\}
 .TP 3n
 \fB\(bu\fR
 scheduling priority (aka nice value)
--- a/doc/sudo.man.in.sed
+++ b/doc/sudo.man.in.sed
@ -0,0 +1,76 @@
+s/^\(.TH .*\)/.nr SL @SEMAN@\
+.nr BA @BAMAN@\
+.nr LC @LCMAN@\
+.nr PS @PSMAN@\
+\1/
+
+s/^\(\[\\fB\\-a\\fR.*\\fItype\\fR\]\) *$/.if \\n(BA \1/
+s/^\(\[\\fB\\-c\\fR.*\\fIclass\\fR\]\) *$/.if \\n(LC \1/
+s/^\(\[\\fB\\-r\\fR.*\\fIrole\\fR\]\) *$/.if \\n(SL \1/
+s/^\(\[\\fB\\-t\\fR.*\\fItype\\fR\]\) *$/.if \\n(SL \1/
+
+/^\.TP 12n$/ {
+	N
+	/^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/,/^\.TP 12n/ {
+            /^\.TP 12n/ {
+		/^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/i\
+.if \\n(BA \\{\\
+		/^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/!i\
+.\\}
+            }
+        }
+	/^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/,/^\.TP 12n/ {
+            /^\.TP 12n/ {
+		/^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/i\
+.if \\n(LC \\{\\
+		/^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/!i\
+.\\}
+            }
+        }
+	/^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/,/^\.TP 12n/ {
+            /^\.TP 12n/ {
+		/^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/i\
+.if \\n(SL \\{\\
+		/^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/!i\
+.\\}
+            }
+        }
+	/^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/,/^\.TP 12n/ {
+            /^\.TP 12n/ {
+		/^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/i\
+.if \\n(SL \\{\\
+		/^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/!i\
+.\\}
+            }
+        }
+}
+
+/^\.TP 3n$/ {
+	N
+	N
+	/^.TP 3n\n\\fB\\(bu\\fR\nSELinux role and type$/ {
+		i\
+.if \\n(SL \\{\\
+		a\
+.\\}
+	}
+	/^.TP 3n\n\\fB\\(bu\\fR\nSolaris project$/ {
+		i\
+.if \\n(PS \\{\\
+		a\
+.\\}
+	}
+	/^.TP 3n\n\\fB\\(bu\\fR\nSolaris privileges$/ {
+		i\
+.if \\n(PS \\{\\
+		a\
+.\\}
+	}
+	/^.TP 3n\n\\fB\\(bu\\fR\nBSD$/ {
+		N
+		i\
+.if \\n(LC \\{\\
+		a\
+.\\}
+	}
+}
--- a/doc/sudo.mdoc.in
+++ b/doc/sudo.mdoc.in
@ -18,7 +18,11 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd October 27, 2018
+.nr SL @SEMAN@
+.nr BA @BAMAN@
+.nr LC @LCMAN@
+.nr PS @PSMAN@
+.Dd November 25, 2018
 .Dt SUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@ -31,7 +35,9 @@
 .Nm sudo
 .Fl v
 .Op Fl AknS
+.if \n(BA \{\
 .Op Fl a Ar type
+.\}
 .Op Fl g Ar group
 .Op Fl h Ar host
 .Op Fl p Ar prompt
@ -39,7 +45,9 @@
 .Nm sudo
 .Fl l
 .Op Fl AknS
+.if \n(BA \{\
 .Op Fl a Ar type
+.\}
 .Op Fl g Ar group
 .Op Fl h Ar host
 .Op Fl p Ar prompt
@ -48,14 +56,20 @@
 .Op Ar command
 .Nm sudo
 .Op Fl AbEHnPS
+.if \n(BA \{\
 .Op Fl a Ar type
+.\}
 .Op Fl C Ar num
+.if \n(LC \{\
 .Op Fl c Ar class
+.\}
 .Op Fl g Ar group
 .Op Fl h Ar host
 .Op Fl p Ar prompt
+.if \n(SL \{\
 .Op Fl r Ar role
 .Op Fl t Ar type
+.\}
 .Op Fl T Ar timeout
 .Op Fl u Ar user
 .Op Ar VAR Ns = Ns Ar value
@ -63,9 +77,13 @@
 .Op Ar command
 .Nm sudoedit
 .Op Fl AknS
+.if \n(BA \{\
 .Op Fl a Ar type
+.\}
 .Op Fl C Ar num
+.if \n(LC \{\
 .Op Fl c Ar class
+.\}
 .Op Fl g Ar group
 .Op Fl h Ar host
 .Op Fl p Ar prompt
@ -171,8 +189,11 @@ Path askpass /usr/X11R6/bin/ssh-askpass
 If no askpass program is available,
 .Nm
 will exit with an error.
+.if \n(BA \{\
 .It Fl a Ar type , Fl -auth-type Ns = Ns Ar type
-Use the specified BSD authentication
+Use the specified
+.Bx
+authentication
 .Ar type
 when validating the user, if allowed by
 .Pa /etc/login.conf .
@ -181,7 +202,10 @@ authentication methods by adding an
 .Dq auth-sudo
 entry in
 .Pa /etc/login.conf .
-This option is only available on systems that support BSD authentication.
+This option is only available on systems that support
+.Bx
+authentication.
+.\}
 .It Fl b , -background
 Run the given command in the background.
 Note that it is not possible to use shell job control to manipulate
@ -206,6 +230,7 @@ policy only permits use of the
 option when the administrator has enabled the
 .Em closefrom_override
 option.
+.if \n(LC \{\
 .It Fl c Ar class , Fl -login-class Ns = Ns Ar class
 Run the command with resource limits and scheduling priority of
 the specified login
@ -229,7 +254,10 @@ If the command is being run as a login shell, additional
 .Pa /etc/login.conf
 settings, such as the umask and environment variables, will
 be applied, if present.
-This option is only available on systems with BSD login classes.
+This option is only available on systems with
+.Bx
+login classes.
+.\}
 .It Fl E , -preserve-env
 Indicates to the security policy that the user wishes to
 preserve their existing environment variables.
@ -493,10 +521,12 @@ specified by a PAM module unless the
 .Em passprompt_override
 flag is disabled in
 .Em sudoers .
+.if \n(SL \{\
 .It Fl r Ar role , Fl -role Ns = Ns Ar role
 Run the command with an SELinux security context that includes
 the specified
 .Ar role .
+.\}
 .It Fl S , -stdin
 Write the prompt to the standard error and read the password from the
 standard input instead of using the terminal device.
@ -513,6 +543,7 @@ If no command is specified, an interactive shell is executed.
 Note that most shells behave differently when a command is specified
 as compared to an interactive session; consult the shell's manual
 for details.
+.if \n(SL \{\
 .It Fl t Ar type , Fl -type Ns = Ns Ar type
 Run the command with an SELinux security context that includes
 the specified
@ -520,6 +551,7 @@ the specified
 If no
 .Ar type
 is specified, the default type is derived from the role.
+.\}
 .It Fl U Ar user , Fl -other-user Ns = Ns Ar user
 Used in conjunction with the
 .Fl l
@ -645,14 +677,21 @@ the environment list
 current working directory
 .It
 file creation mode mask (umask)
+.if \n(SL \{\
 .It
 SELinux role and type
+.\}
+.if \n(PS \{\
 .It
 Solaris project
 .It
 Solaris privileges
+.\}
+.if \n(LC \{\
 .It
-BSD login class
+.Bx
+login class
+.\}
 .It
 scheduling priority (aka nice value)
 .El
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@ -596,9 +596,9 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
     setting the group to operator or system.

   OOppttiioonn__SSppeecc
-     A Cmnd may have zero or more options associated with it.  Depending on
-     the system, options may consist of SELinux roles and/or types, Solaris
-     privileges sets, and command timeouts.  Once an option is set for a Cmnd,
+     A Cmnd may have zero or more options associated with it.  Options may
+     consist of SELinux roles and/or types, Solaris privileges sets, start
+     and/or end dates and command timeouts.  Once an option is set for a Cmnd,
     subsequent Cmnds in the Cmnd_Spec_List, inherit that option unless it is
     overridden by another option.

@ -2928,4 +2928,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or https://www.sudo.ws/license.html for
     complete details.

-Sudo 1.8.26                    October 27, 2018                    Sudo 1.8.26
+Sudo 1.8.26                    November 25, 2018                   Sudo 1.8.26
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@ -19,7 +19,11 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "October 27, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.nr SL @SEMAN@
+.nr BA @BAMAN@
+.nr LC @LCMAN@
+.nr PS @PSMAN@
+.TH "SUDOERS" "5" "November 25, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@ -292,7 +296,10 @@ systems without PAM), the environment is initialized with the
 contents of the
 \fI/etc/environment\fR
 file.
-On BSD systems, if the
+.if \n(LC \{\
+On
+BSD
+systems, if the
 \fIuse_loginclass\fR
 option is enabled, the environment is initialized
 based on the
@ -301,6 +308,7 @@ and
 \fIsetenv\fR
 settings in
 \fI/etc/login.conf\fR.
+.\}
 The new environment contains the
 \fRTERM\fR,
 \fRPATH\fR,
@ -483,7 +491,10 @@ systems without PAM), the contents of
 \fI/etc/environment\fR
 are also
 included.
-On BSD systems, if the
+.if \n(LC \{\
+On
+BSD
+systems, if the
 \fIuse_loginclass\fR
 flag is
 enabled, the
@ -493,6 +504,7 @@ and
 variables in
 \fI/etc/login.conf\fR
 are also applied.
+.\}
 All other environment variables are removed unless permitted by
 \fIenv_keep\fR
 or
@ -1037,12 +1049,23 @@ Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd

 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'

-Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
+.ie \n(SL \{\
+.ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
+.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)
+.\}
+.el \{\
+.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
+.el Option_Spec ::= (Date_Spec | Timeout_Spec)
+.\}

+.if \n(SL \{\
 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')

+.\}
+.if \n(PS \{\
 Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')

+.\}
 Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')

 Timeout_Spec ::= 'TIMEOUT=timeout'
@ -1248,8 +1271,14 @@ optionally setting the group to operator or system.
 A
 \fRCmnd\fR
 may have zero or more options associated with it.
-Depending on the system, options may consist of SELinux roles
-and/or types, Solaris privileges sets, and command timeouts.
+Options may consist of
+.if \n(SL \{\
+SELinux roles and/or types,
+.\}
+.if \n(PS \{\
+Solaris privileges sets,
+.\}
+start and/or end dates and command timeouts.
 Once an option is set for a
 \fRCmnd\fR,
 subsequent
@ -1257,6 +1286,7 @@ subsequent
 in the
 \fRCmnd_Spec_List\fR,
 inherit that option unless it is overridden by another option.
+.if \n(SL \{\
 .SS "SELinux_Spec"
 On systems with SELinux support,
 \fIsudoers\fR
@ -1269,6 +1299,8 @@ specified in
 A role or type specified on the command line,
 however, will supersede the values in
 \fIsudoers\fR.
+.\}
+.if \n(PS \{\
 .SS "Solaris_Priv_Spec"
 On Solaris systems,
 \fIsudoers\fR
@ -1312,6 +1344,7 @@ name with either an
 or
 \(oq\-\(cq
 character.
+.\}
 .SS "Date_Spec"
 \fBsudoers\fR
 rules can be specified with a start and end date via the
@ -3086,6 +3119,7 @@ will set the umask to be the union of the user's umask and what is specified in
 This flag is
 \fI@umask_override@\fR
 by default.
+.if \n(BA \{\
 .TP 18n
 use_loginclass
 If set,
@ -3100,6 +3134,7 @@ option.
 This flag is
 \fIoff\fR
 by default.
+.\}
 .TP 18n
 use_netgroups
 If set, netgroups (prefixed with
@ -3563,6 +3598,7 @@ This directory should
 be cleared when the system reboots.
 The default is
 \fI@vardir@/lectured\fR.
+.if \n(PS \{\
 .TP 18n
 limitprivs
 The default Solaris limit privileges to use when constructing a new
@ -3573,6 +3609,7 @@ The default limit privileges may be overridden on a per-command basis in
 This option is only available if
 \fBsudoers\fR
 is built on Solaris 10 or higher.
+.\}
 .TP 18n
 mailsub
 Subject of the mail sent to the
@ -3681,6 +3718,7 @@ flag can be used to change this behavior.
 The default value is
 \(lq\fR@passprompt@\fR\(rq.
 .RE
+.if \n(PS \{\
 .TP 18n
 privs
 The default Solaris privileges to use when constructing a new
@ -3698,6 +3736,8 @@ The default privileges may be overridden on a per-command basis in
 This option is only available if
 \fBsudoers\fR
 is built on Solaris 10 or higher.
+.\}
+.if \n(SL \{\
 .TP 18n
 role
 The default SELinux role to use when constructing a new security
@ -3708,6 +3748,7 @@ file or via command line options.
 This option is only available when
 \fBsudo\fR
 is built with SELinux support.
+.\}
 .TP 18n
 runas_default
 The default user to run commands as if the
@ -3800,6 +3841,7 @@ The owner of the lecture status directory, time stamp directory and all
 files stored therein.
 The default is
 \fRroot\fR.
+.if \n(SL \{\
 .TP 18n
 type
 The default SELinux type to use when constructing a new security
@ -4199,6 +4241,7 @@ The default value is
 .RE
 .PP
 \fBLists that can be used in a boolean context\fR:
+.\}
 .TP 18n
 env_check
 Environment variables to be removed from the user's environment
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@ -18,7 +18,11 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd October 27, 2018
+.nr SL @SEMAN@
+.nr BA @BAMAN@
+.nr LC @LCMAN@
+.nr PS @PSMAN@
+.Dd November 25, 2018
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@ -282,7 +286,10 @@ systems without PAM), the environment is initialized with the
 contents of the
 .Pa /etc/environment
 file.
-On BSD systems, if the
+.if \n(LC \{\
+On
+.Bx
+systems, if the
 .Em use_loginclass
 option is enabled, the environment is initialized
 based on the
@ -291,6 +298,7 @@ and
 .Em setenv
 settings in
 .Pa /etc/login.conf .
+.\}
 The new environment contains the
 .Ev TERM ,
 .Ev PATH ,
@ -470,7 +478,10 @@ systems without PAM), the contents of
 .Pa /etc/environment
 are also
 included.
-On BSD systems, if the
+.if \n(LC \{\
+On
+.Bx
+systems, if the
 .Em use_loginclass
 flag is
 enabled, the
@ -480,6 +491,7 @@ and
 variables in
 .Pa /etc/login.conf
 are also applied.
+.\}
 All other environment variables are removed unless permitted by
 .Em env_keep
 or
@ -991,12 +1003,23 @@ Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd

 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'

-Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
+.ie \n(SL \{\
+.ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
+.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)
+.\}
+.el \{\
+.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
+.el Option_Spec ::= (Date_Spec | Timeout_Spec)
+.\}

+.if \n(SL \{\
 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')

+.\}
+.if \n(PS \{\
 Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')

+.\}
 Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')

 Timeout_Spec ::= 'TIMEOUT=timeout'
@ -1177,8 +1200,14 @@ optionally setting the group to operator or system.
 A
 .Li Cmnd
 may have zero or more options associated with it.
-Depending on the system, options may consist of SELinux roles
-and/or types, Solaris privileges sets, and command timeouts.
+Options may consist of
+.if \n(SL \{\
+SELinux roles and/or types,
+.\}
+.if \n(PS \{\
+Solaris privileges sets,
+.\}
+start and/or end dates and command timeouts.
 Once an option is set for a
 .Li Cmnd ,
 subsequent
@ -1186,6 +1215,7 @@ subsequent
 in the
 .Li Cmnd_Spec_List ,
 inherit that option unless it is overridden by another option.
+.if \n(SL \{\
 .Ss SELinux_Spec
 On systems with SELinux support,
 .Em sudoers
@ -1198,6 +1228,8 @@ specified in
 A role or type specified on the command line,
 however, will supersede the values in
 .Em sudoers .
+.\}
+.if \n(PS \{\
 .Ss Solaris_Priv_Spec
 On Solaris systems,
 .Em sudoers
@ -1236,6 +1268,7 @@ name with either an
 or
 .Ql \-
 character.
+.\}
 .Ss Date_Spec
 .Nm sudoers
 rules can be specified with a start and end date via the
@ -2902,6 +2935,7 @@ will set the umask to be the union of the user's umask and what is specified in
 This flag is
 .Em @umask_override@
 by default.
+.if \n(LC \{\
 .It use_loginclass
 If set,
 .Nm sudo
@ -2915,6 +2949,7 @@ option.
 This flag is
 .Em off
 by default.
+.\}
 .It use_netgroups
 If set, netgroups (prefixed with
 .Ql + ) ,
@ -3349,6 +3384,7 @@ This directory should
 be cleared when the system reboots.
 The default is
 .Pa @vardir@/lectured .
+.if \n(PS \{\
 .It limitprivs
 The default Solaris limit privileges to use when constructing a new
 privilege set for a command.
@ -3358,6 +3394,7 @@ The default limit privileges may be overridden on a per-command basis in
 This option is only available if
 .Nm
 is built on Solaris 10 or higher.
+.\}
 .It mailsub
 Subject of the mail sent to the
 .Em mailto
@ -3451,6 +3488,7 @@ flag can be used to change this behavior.
 .Pp
 The default value is
 .Dq Li "@passprompt@" .
+.if \n(PS \{\
 .It privs
 The default Solaris privileges to use when constructing a new
 privilege set for a command.
@ -3467,6 +3505,8 @@ The default privileges may be overridden on a per-command basis in
 This option is only available if
 .Nm
 is built on Solaris 10 or higher.
+.\}
+.if \n(SL \{\
 .It role
 The default SELinux role to use when constructing a new security
 context to run the command.
@ -3476,6 +3516,7 @@ file or via command line options.
 This option is only available when
 .Nm sudo
 is built with SELinux support.
+.\}
 .It runas_default
 The default user to run commands as if the
 .Fl u
@ -3558,6 +3599,7 @@ The owner of the lecture status directory, time stamp directory and all
 files stored therein.
 The default is
 .Li root .
+.if \n(SL \{\
 .It type
 The default SELinux type to use when constructing a new security
 context to run the command.
@ -3567,6 +3609,7 @@ file or via command line options.
 This option is only available when
 .Nm sudo
 is built with SELinux support.
+.\}
 .El
 .Pp
 .Sy Strings that can be used in a boolean context :