From 57933a8ff3f5a847649bcc7c3420ce64191b0111 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Tue, 17 Jan 2017 08:55:40 -0700
Subject: [PATCH] Safer example for rule that can change non-root passwords. 
 GNU getopts allows options to follow arguments so we need to be able to deny
 things like "passwd root -q".  From Paul "Joey" Clark. Bug #772

---
 doc/sudoers.cat     | 4 ++--
 doc/sudoers.man.in  | 4 ++--
 doc/sudoers.mdoc.in | 4 ++--
 examples/sudoers    | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 76dbf28a80..0461e8832a 100644
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -2287,7 +2287,7 @@ EEXXAAMMPPLLEESS
 
      The user jjooee may only su(1) to operator.
 
-     pete            HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+     pete            HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
 
      %opers          ALL = (: ADMINGRP) /usr/sbin/
 
@@ -2640,4 +2640,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.19                    November 30, 2016                   Sudo 1.8.19
+Sudo 1.8.19                    January 17, 2017                    Sudo 1.8.19
diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 8673da07ae..29abf4cbeb 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "November 30, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "January 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -4565,7 +4565,7 @@ to operator.
 .nf
 .sp
 .RS 0n
-pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
 
 %opers		ALL = (: ADMINGRP) /usr/sbin/
 .RE
diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 74b6f01174..6bfe868d5b 100644
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd November 30, 2016
+.Dd January 17, 2017
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -4227,7 +4227,7 @@ may only
 .Xr su 1
 to operator.
 .Bd -literal
-pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
 
 %opers		ALL = (: ADMINGRP) /usr/sbin/
 .Ed
diff --git a/examples/sudoers b/examples/sudoers
index 9946008723..8ad6fa0383 100644
--- a/examples/sudoers
+++ b/examples/sudoers
@@ -88,7 +88,7 @@ operator	ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
 joe		ALL = /usr/bin/su operator
 
 # pete may change passwords for anyone but root on the hp snakes
-pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
 
 # bob may run anything on the sparc and sgi machines as any user
 # listed in the Runas_Alias "OP" (ie: root and operator)