=== modified file 'TODO'
--- TODO	2008-08-17 20:34:18 +0000
+++ TODO	2008-08-18 03:25:01 +0000
@@ -87,18 +87,18 @@
 ** [#A] Config file man page: man5/mandos.conf (mandos.conf)
 ** [#A] Config file man page: man5/mandos-clients.conf (clients.conf)
 ** [#A] /etc/init.d/mandos-server		:teddy:
-** Log level
+** [#B] Log level				:bugs:
 ** /etc/mandos/clients.d/*.conf
    Watch this directory and add/remove/update clients?
 ** config for TXT record
-** Run-time communication with server
+** [#B] Run-time communication with server	:bugs:
    Probably using D-Bus
    See also [[*Mandos-tools]]
-** Implement --foreground
+** Implement --foreground			:bugs:
    [[info:standards:Option%20Table][Table of Long Options]]
 ** Implement --socket
    [[info:standards:Option%20Table][Table of Long Options]]
-** Date+time on console log messages
+** Date+time on console log messages		:bugs:
    Is this the default?
 
 * Mandos-tools/utilities

=== modified file 'mandos.xml'
--- mandos.xml	2008-08-17 22:42:28 +0000
+++ mandos.xml	2008-08-18 03:25:01 +0000
@@ -73,27 +73,30 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>&COMMANDNAME;</command>
-      <arg choice="opt">--interface<arg choice="plain">IF</arg></arg>
-      <arg choice="opt">--address<arg choice="plain">ADDRESS</arg></arg>
-      <arg choice="opt">--port<arg choice="plain">PORT</arg></arg>
-      <arg choice="opt">--priority<arg choice="plain">PRIORITY</arg></arg>
-      <arg choice="opt">--servicename<arg choice="plain">NAME</arg></arg>
-      <arg choice="opt">--configdir<arg choice="plain">DIRECTORY</arg></arg>
-      <arg choice="opt">--debug</arg>
-    </cmdsynopsis>
-    <cmdsynopsis>
-      <command>&COMMANDNAME;</command>
-      <arg choice="opt">-i<arg choice="plain">IF</arg></arg>
-      <arg choice="opt">-a<arg choice="plain">ADDRESS</arg></arg>
-      <arg choice="opt">-p<arg choice="plain">PORT</arg></arg>
-      <arg choice="opt">--priority<arg choice="plain">PRIORITY</arg></arg>
-      <arg choice="opt">--servicename<arg choice="plain">NAME</arg></arg>
-      <arg choice="opt">--configdir<arg choice="plain">DIRECTORY</arg></arg>
-      <arg choice="opt">--debug</arg>
-    </cmdsynopsis>
-    <cmdsynopsis>
-      <command>&COMMANDNAME;</command>
-      <arg choice="plain">--help</arg>
+      <arg>--interface<arg choice="plain">IF</arg></arg>
+      <arg>--address<arg choice="plain">ADDRESS</arg></arg>
+      <arg>--port<arg choice="plain">PORT</arg></arg>
+      <arg>--priority<arg choice="plain">PRIORITY</arg></arg>
+      <arg>--servicename<arg choice="plain">NAME</arg></arg>
+      <arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
+      <arg>--debug</arg>
+    </cmdsynopsis>
+    <cmdsynopsis>
+      <command>&COMMANDNAME;</command>
+      <arg>-i<arg choice="plain">IF</arg></arg>
+      <arg>-a<arg choice="plain">ADDRESS</arg></arg>
+      <arg>-p<arg choice="plain">PORT</arg></arg>
+      <arg>--priority<arg choice="plain">PRIORITY</arg></arg>
+      <arg>--servicename<arg choice="plain">NAME</arg></arg>
+      <arg>--configdir<arg choice="plain">DIRECTORY</arg></arg>
+      <arg>--debug</arg>
+    </cmdsynopsis>
+    <cmdsynopsis>
+      <command>&COMMANDNAME;</command>
+      <group choice="req">
+	<arg choice="plain">-h</arg>
+	<arg choice="plain">--help</arg>
+      </group>
     </cmdsynopsis>
     <cmdsynopsis>
       <command>&COMMANDNAME;</command>
@@ -154,7 +157,9 @@
 	  <para>
 	    Only announce the server and listen to requests on network
 	    interface <replaceable>IF</replaceable>.  Default is to
-	    use all available interfaces.
+	    use all available interfaces.  <emphasis>Note:</emphasis>
+	    a failure to bind to the specified interface is not
+	    considered critical, and the server does not exit.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -372,6 +377,26 @@
     </para>
   </refsect1>
 
+  <refsect1 id="environment">
+    <title>ENVIRONMENT</title>
+    <variablelist>
+      <varlistentry>
+	<term><varname>PATH</varname></term>
+	<listitem>
+	  <para>
+	    To start the configured checker (see <xref
+	    linkend="checking"/>), the server uses
+	    <filename>/bin/sh</filename>, which in turn uses
+	    <varname>PATH</varname> to search for matching commands if
+	    an absolute path is not given.  See <citerefentry>
+	    <refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
+	  </citerefentry>
+	  </para>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
   <refsect1 id="file">
     <title>FILES</title>
     <para>
@@ -418,19 +443,50 @@
 	  </para>
 	</listitem>
       </varlistentry>
+      <varlistentry>
+	<term><filename>/bin/sh</filename></term>
+	<listitem>
+	  <para>
+	    This is used to start the configured checker command for
+	    each client.  See <citerefentry>
+	    <refentrytitle>mandos-clients.conf</refentrytitle>
+	    <manvolnum>5</manvolnum></citerefentry> for details.
+	  </para>
+	</listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
-
+  
   <refsect1 id="bugs">
     <title>BUGS</title>
     <para>
       This server might, on especially fatal errors, emit a Python
       backtrace.  This could be considered a feature.
     </para>
+    <para>
+      Currently, if a client is declared <quote>invalid</quote> due to
+      having timed out, the server does not record this fact onto
+      permanent storage.  This has some security implications, see
+      <xref linkend="CLIENTS"/>.
+    </para>
+    <para>
+      There is currently no way of querying the server of the current
+      status of clients, other than analyzing its <systemitem
+      class="service">syslog</systemitem> output.
+    </para>
+    <para>
+      There is no fine-grained control over logging and debug output.
+    </para>
+    <para>
+      Debug mode is conflated with running in the foreground.
+    </para>
+    <para>
+      The console log messages does not show a timestamp.
+    </para>
   </refsect1>
-
-  <refsect1 id="examples">
-    <title>EXAMPLES</title>
+  
+  <refsect1 id="example">
+    <title>EXAMPLE</title>
     <informalexample>
       <para>
 	Normal invocation needs no options:
@@ -469,16 +525,16 @@
 
   <refsect1 id="security">
     <title>SECURITY</title>
-    <refsect2>
+    <refsect2 id="SERVER">
       <title>SERVER</title>
       <para>
-	Running this &COMMANDNAME; server program should not in itself
-	present any security risk to the host computer running it.
-	The program does not need any special privileges to run, and
-	is designed to run as a non-root user.
+	Running this <command>&COMMANDNAME;</command> server program
+	should not in itself present any security risk to the host
+	computer running it.  The program does not need any special
+	privileges to run, and is designed to run as a non-root user.
       </para>
     </refsect2>
-    <refsect2>
+    <refsect2 id="CLIENTS">
       <title>CLIENTS</title>
       <para>
 	The server only gives out its stored data to clients which
@@ -499,6 +555,21 @@
 	compromised if they are gone for too long.
       </para>
       <para>
+	If a client is compromised, its downtime should be duly noted
+	by the server which would therefore declare the client
+	invalid.  But if the server was ever restarted, it would
+	re-read its client list from its configuration file and again
+	regard all clients therein as valid, and hence eligible to
+	receive their passwords.  Therefore, be careful when
+	restarting servers if you suspect that a client has, in fact,
+	been compromised by parties who may now be running a fake
+	Mandos client with the keys from the non-encrypted initial RAM
+	image of the client host.  What should be done in that case
+	(if restarting the server program really is necessary) is to
+	stop the server program, edit the configuration file to omit
+	any suspect clients, and restart the server program.
+      </para>
+      <para>
 	For more details on client-side security, see
 	<citerefentry><refentrytitle>password-request</refentrytitle>
 	<manvolnum>8mandos</manvolnum></citerefentry>.