Mention the audit plugin in the "Process model" section.

Remove extraneous information describing how sudo may exec the
command directly, this is already included in the non-pty section.

2 files changed, 28 insertions, 38 deletions

diff --git a/docs/sudo.man.in b/docs/sudo.man.in
index 8b95deefe..3ff04aff8 100644
--- a/docs/sudo.man.in
+++ b/docs/sudo.man.in
@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDO" "@mansectsu@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO" "@mansectsu@" "December 12, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -837,8 +837,8 @@ There are two distinct ways
 \fBsudo\fR
 can run a command.
 .PP
-If an I/O logging plugin is configured or if the security policy
-explicitly requests it, a new pseudo-terminal
+If an I/O logging plugin is configured to log terminal I/O, or if
+the security policy explicitly requests it, a new pseudo-terminal
 (\(lqpty\(rq)
 is allocated and
 fork(2)
@@ -850,16 +850,17 @@ The
 \fImonitor\fR
 creates a new terminal session with itself as the leader and the pty as its
 controlling terminal, calls
-fork(2),
-sets up the execution environment as described above, and then uses the
+fork(2)
+again, sets up the execution environment as described above, and then uses the
 execve(2)
 system call to run the command in the child process.
 The
 \fImonitor\fR
 exists to relay job control signals between the user's
-existing terminal and the pty the command is being run in.
-This makes it possible to suspend and resume the command.
-Without the monitor, the command would be in what POSIX terms an
+terminal and the pty the command is being run in.
+This makes it possible to suspend and resume the command normally.
+Without the
+\fImonitor\fR, \fIthe command would be in what POSIX terms an\fR
 \(lqorphaned process group\(rq
 and it would not receive any job control signals from the kernel.
 When the command exits or is terminated by a signal, the
@@ -869,8 +870,9 @@ passes the command's exit status to the main
 process and exits.
 After receiving the command's exit status, the main
 \fBsudo\fR
-passes the command's exit status to the security policy's close function
-and exits.
+process passes the command's exit status to the security policy's
+close function, as well as the close function of any configured audit
+plugin, and exits.
 .PP
 If no pty is used,
 \fBsudo\fR
@@ -882,7 +884,8 @@ system call to run the command in the child process.
 The main
 \fBsudo\fR
 process waits until the command has completed, then passes the
-command's exit status to the security policy's close function and exits.
+command's exit status to the security policy's close function, as
+well as the close function of any configured audit plugins, and exits.
 As a special case, if the policy plugin does not define a close
 function,
 \fBsudo\fR
@@ -970,14 +973,6 @@ are run using the
 family of functions instead of
 \fBsystem\fR()
 (which interposes a shell between the command and the calling process).
-.PP
-If no I/O logging plugins are loaded and the policy plugin has not
-defined a
-\fBclose\fR()
-function, set a command timeout, or required that the command be
-run in a new pty,
-\fBsudo\fR
-may execute the command directly instead of running it as a child process.
 .SS "Plugins"
 Plugins may be specified via
 \fIPlugin\fR
diff --git a/docs/sudo.mdoc.in b/docs/sudo.mdoc.in
index 82985f2da..ffde30b4d 100644
--- a/docs/sudo.mdoc.in
+++ b/docs/sudo.mdoc.in
@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd September 13, 2022
+.Dd December 12, 2022
 .Dt SUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -773,8 +773,8 @@ There are two distinct ways
 .Nm
 can run a command.
 .Pp
-If an I/O logging plugin is configured or if the security policy
-explicitly requests it, a new pseudo-terminal
+If an I/O logging plugin is configured to log terminal I/O, or if
+the security policy explicitly requests it, a new pseudo-terminal
 .Pq Dq pty
 is allocated and
 .Xr fork 2
@@ -786,16 +786,17 @@ The
 .Em monitor
 creates a new terminal session with itself as the leader and the pty as its
 controlling terminal, calls
-.Xr fork 2 ,
-sets up the execution environment as described above, and then uses the
+.Xr fork 2
+again, sets up the execution environment as described above, and then uses the
 .Xr execve 2
 system call to run the command in the child process.
 The
 .Em monitor
 exists to relay job control signals between the user's
-existing terminal and the pty the command is being run in.
-This makes it possible to suspend and resume the command.
-Without the monitor, the command would be in what POSIX terms an
+terminal and the pty the command is being run in.
+This makes it possible to suspend and resume the command normally.
+Without the
+.Em monitor , the command would be in what POSIX terms an
 .Dq orphaned process group
 and it would not receive any job control signals from the kernel.
 When the command exits or is terminated by a signal, the
@@ -805,8 +806,9 @@ passes the command's exit status to the main
 process and exits.
 After receiving the command's exit status, the main
 .Nm
-passes the command's exit status to the security policy's close function
-and exits.
+process passes the command's exit status to the security policy's
+close function, as well as the close function of any configured audit
+plugin, and exits.
 .Pp
 If no pty is used,
 .Nm
@@ -818,7 +820,8 @@ system call to run the command in the child process.
 The main
 .Nm
 process waits until the command has completed, then passes the
-command's exit status to the security policy's close function and exits.
+command's exit status to the security policy's close function, as
+well as the close function of any configured audit plugins, and exits.
 As a special case, if the policy plugin does not define a close
 function,
 .Nm
@@ -906,14 +909,6 @@ are run using the
 family of functions instead of
 .Fn system
 (which interposes a shell between the command and the calling process).
-.Pp
-If no I/O logging plugins are loaded and the policy plugin has not
-defined a
-.Fn close
-function, set a command timeout, or required that the command be
-run in a new pty,
-.Nm
-may execute the command directly instead of running it as a child process.
 .Ss Plugins
 Plugins may be specified via
 .Em Plugin