More documentation for radmin and examples

diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
index 713f10d..b602da7 100644 (file)
--- a/man/man8/radmin.8
+++ b/man/man8/radmin.8
@@ -1,4 +1,4 @@
-.TH RADMIN 8 "7 Sept 2008" "" "FreeRADIUS Server Administration Tool"
+.TH RADMIN 8 "10 Sept 2008" "" "FreeRADIUS Server Administration Tool"
 .SH NAME
 radmin - FreeRADIUS Administration tool
 .SH SYNOPSIS
@@ -23,6 +23,12 @@ commands.
 This tool is experimental and should not be used in production
 environments.  Changes may be made at any time to the commands
 accepted by the server, and/or to the resulting output.
+
+The security protections offered by this command are pretty minimal.
+If someone has permission to connect to the server, they can do almost
+anything, from stopping the server, to changing it's configuration.
+
+Please exercise caution when using this command!
 .SH OPTIONS
 The following command-line options are accepted by the program.
 .IP "\-d \fIconfig directory\fP"
@@ -37,7 +43,41 @@ Specify the socket filename directly.  The radiusd.conf file is not read.
 Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
 .IP \-q
 Quiet mode.
+.SH COMMANDS
+The commands implemented by the command-line interface are almost
+completely controlled by the server.  There are a few commands
+interpreted locally by radmin:
+.IP reconnect
+Reconnect to the server.
+.IP quit
+Exit from radmin.
+.IP exit
+Exit from radmin.
+.PP
+The other commands are implemented by the server.  Type "help" at the
+prompt for more information.
+.SH EXAMPLES
+.IP debug\ file\ /var/log/radius/bob.log
+Set debug logs to /var/log/radius/bob.log.  There is very little
+checking of this filename.  Rogue administrators may be able use this
+command to over-write almost any file on the system.  If those
+administrators have write access to "radius.conf", they can do the
+same thing without radmin, too.
+.IP debug\ condition\ '(User-Name\ ==\ "bob")'
+Enable debugging output for all requests that match the condition.
+Any "unlang" condition is valid here.  The condition is parsed as a
+string, so it must be enclosed in single or double quotes.  Strings
+enclosed in double-quotes must have back-slashes and the quotation
+marks escaped inside of the string.
+
+Only one debug condition can be active at a time.
+.IP debug\ condition\ '((User-Name\ ==\ "bob")\ ||\ (Packet-Src-IP-Address\ ==\ 192.0.2.22))'
+A more complex condition that enables debugging output for requests
+containing User-Name "bob", or requests that originate from source IP
+address 192.0.2.22.
+.IP debug\ condition
+Disable debug conditionals.
 .SH SEE ALSO
-radiusd.conf(5), raddb/sites-available/control
+unlang(5), radiusd.conf(5), raddb/sites-available/control
 .SH AUTHOR
 Alan DeKok <aland@freeradius.org>