From b232fab3a271c4c787462295d7ffbeca750c1092 Mon Sep 17 00:00:00 2001
From: Dave Brolley <brolley@redhat.com>
Date: Mon, 14 Sep 2009 15:52:10 -0400
Subject: Firther updates to NEWS regarding signing and unprivileged users.

---
 NEWS | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/NEWS b/NEWS
index f7af30f1..0b170732 100644
--- a/NEWS
+++ b/NEWS
@@ -39,24 +39,24 @@
   - Using the --unprivileged option on stap enables translation-time checking
     for use by unprivileged users (see restrictions below).
   - All modules deemed suitable for use by unprivileged users will be signed
-    by stap-server (see module signing in release 0.9.8 and stap-server in
-    release 0.9 below).
-  - Modules signed by trusted signers and verified by staprun will be loaded by
-    staprun regardless of the user's privilege level.
-  - The system administrator asserts the trustworthiness of a signer by running
-    stap-authorize-signing-cert <cert-file> as root, where <cert-file> can
-    be found in ~<user>/.systemtap/ssl/server/stap.cert for servers started by
-    ordinary users and in $sysconfdir/systemtap/ssl/server/stap.cert for servers
-    started by root.
+    by stap-server when --unprivileged is specified on stap-client (see module
+    signing in release 0.9.8 and stap-server in release 0.9 below).
+  - Modules signed by trusted signers (servers) and verified by staprun will be
+    loaded by staprun regardless of the user's privilege level.
+  - The system administrator asserts the trustworthiness of a signer (server) by
+    running stap-authorize-signing-cert <cert-file> as root, where <cert-file>
+    can be found in ~<user>/.systemtap/ssl/server/stap.cert for servers started
+    by ordinary users and in $sysconfdir/systemtap/ssl/server/stap.cert for
+    servers started by root.
   - Servers started by root are automatically authorized as trusted signers on
     the local host.
-  - Restrictions are intentionally strict at this time and will be relaxed in
+  - Restrictions are intentionally strict at this time and may be relaxed in
     the future:
      - probe points are restricted to:
          begin, begin(n), end, end(n), error, error(n), never,
          timer.{jiffies,s,sec,ms,msec,us,usec,ns,nsec}(n)*, timer.hz(n),
 	 process.* (for processes owned by the user).
-     - embedded C code is not allowed.
+     - use of embedded C code is not allowed.
      - use of tapset functions using embedded C code is restricted.
      - accessing the kernel memory space is not allowed.
      - The following command line options may not be used:
@@ -142,7 +142,7 @@
   syscall arguments are also available by name in nd_syscalls.
 
 - Module signing: If the appropriate nss libraries are available on your
-  system, stap will sign each compiled module using a self-generated
+  system, stap-server will sign each compiled module using a self-generated
   certificate.  This is the first step toward extending authority to
   load certain modules to unprivileged users. For now, if the system
   administrator adds a certificate to a database of trusted signers
-- 
cgit