From 54789af27e8b7591253b41ec579feb1f81484696 Mon Sep 17 00:00:00 2001 From: Ben Kibbey Date: Sat, 12 Dec 2020 21:38:34 -0800 Subject: [PATCH] docs: Fix some typos and grammer. --- doc/pwmd.html | 132 ++++++++++++++++++++++++++++----------------------------- doc/pwmd.texi | 118 +++++++++++++++++++++++++-------------------------- src/commands.c | 16 +++---- 3 files changed, 133 insertions(+), 133 deletions(-) diff --git a/doc/pwmd.html b/doc/pwmd.html index 8ab77f40..dc4a0f74 100644 --- a/doc/pwmd.html +++ b/doc/pwmd.html @@ -90,20 +90,19 @@ Next: , Up:

Password Manager Daemon (or pwmd) is a server that -applications connect to and send commands to put and get data -that is stored in an OpenPGP encrypted XML document. It mimics a -filesystem in a lot of ways including per element ACL’s, but also has -the advantage of remote connections over TLS and a document cache. The -document cache is needed for a data file encrypted with keys stored on a -smartcard. +applications connect to and send commands to put and get data that is stored +in an OpenPGP encrypted XML document. It mimics a filesystem in a +lot of ways including per element ACL’s, but also has the advantage +of remote connections over TLS and a document cache. The document cache is +needed for a data file encrypted with secret keys stored on a smartcard.

The server uses the Assuan protocol (See (assuan)Implementation) which -is the same used by gpg-agent, pinentry and -scdaemon. It also uses libgpg-error for error reporting with -GPG_ERR_SOURCE_USER_1 being the error source. +is the same used by gpg-agent, pinentry, gpgme +and scdaemon. It also uses libgpg-error for error reporting +with GPG_ERR_SOURCE_USER_1 being the error source.

-

The XML document uses the following DTD: +

The XML document uses the following DTD: 

    <?xml version="1.0"?>
@@ -116,10 +115,10 @@ is the same used by gpg-agent, pinentry and
 
The pwmd element is the document root node while all other elements
 of the document have the name element with an attribute _name
 whose value uniquely identifies the element at the current element tree depth.
-It is done this way to avoid XML parsing errors for commonly used
-characters.  A URL for example would be an invalid XML element
-since the URI contains a ‘:’ which is also the XML
-namespace separator.
+It is done this way to avoid XML parsing errors for commonly used
+characters.  A URL for example would be an invalid XML
+element since the URI contains a ‘:’ which is also the
+XML namespace separator.
 

 
As mentioned, an element name must be unique for the current element tree
 depth. You cannot have two elements containing the same _name attribute
@@ -129,7 +128,8 @@ element path beginning at the child node of the matched element.
 

 
An element path is a TAB delimited character string where each
 TAB separates each element in the path.  For example, the element path
-aTABbTABc has the following XML document structure:
+aTABbTABc has the following XML document
+structure:
 

 

 
	<pwmd>
@@ -153,18 +153,18 @@ Next: , Previ
 

 
2 Access Control

 
-
Like a filesystem has an ACL to grant or limit access to directories or
-files for a specific user or group, pwmd can limit a local user,
-group or a TLS connection to a specific element path. This is done by
-storing an ACL in the element attribute _acl. Its syntax is
+
Like a filesystem has an ACL to grant or limit access to directories
+or files for a specific user or group, pwmd can limit a local user,
+group or a TLS connection to a specific element path. This is done
+by storing an ACL in the element attribute _acl. Its syntax is
 similar to the allowed configuration parameter (see Configuration)
-with the exception that a TLS fingerprint hash is prefixed with a
+with the exception that a TLS fingerprint hash is prefixed with a
 #.
 

-
Access is denied for all users that are not in the ACL of an element
+
Access is denied for any user that is not in the ACL of an element
 with the exception of an invoking user (see the invoking_user). The
-connected client must be in the ACL for each element in an element path
-otherwise an error is returned.  As an example:
+connected client must be in the ACL for each element in an element
+path otherwise an error is returned.  As an example:
 

 

 
<element _name="test" _acl="username,-@wheel,root,#ABCDEF">
@@ -175,13 +175,13 @@ otherwise an error is returned.  As an example:
 
The user username would be allowed access to the test element
 but not if it is a member of the wheel group although, the root
 user, who may be a member of the wheel group, is allowed. The SHA-256
-TLS fingerprint hash #ABCDEF is also allowed.  No users other than an
+TLS fingerprint hash #ABCDEF is also allowed.  No users other than an
 invoking_user are allowed access to the child element.
 

-
The first user listed in the ACL is considered the owner of the
+
The first user listed in the ACL is considered the owner of the
 element. This determines which clients may modify an _acl attribute and
 store content for an element. An invoking_user may always modify an 
-ACL.
+ACL.
 

 

 

@@ -192,13 +192,13 @@ Next: , Previous: While pwmd has its own cache settings for an XML document,
+
While pwmd has its own cache settings for an XML document,
 gpg-agent has cache settings for the keys used for crypto operations
 of a data file. Specifically the ignore-cache-for-signing,
 default-cache-ttl and max-cache-ttl options. These
 gpg-agent options may need to be adjusted depending on your usage
 needs. For example, the OPEN command may not require a passphrase to
-open a data file do to the gpg-agent having a cached key even though the
+open a data file due to the gpg-agent having a cached key even though the
 ISCACHED command returns an error indicating the data file is not
 cached; which usually means a passphrase would be required. Keys for symmetric
 data files are never kept in the gpg-agent cache regardless of
@@ -207,7 +207,7 @@ data files are never kept in the gpg-agent cache regardless of
 
A copy-on-write operation is done for commands that modify the document; the
 client that invoked the command will work on a copy of the in-memory document.
 The first client to SAVE the changes to disk will require other clients
-to reopen the data file do to the checksum being updated.
+to reopen the data file due to the checksum being updated.
 

 

 

@@ -294,9 +294,9 @@ from the --homedir and --rcfile options.
 

 
 
--import, -I filename|-

-
Imports the XML filename. When filename is - the
-XML is read from stdin. The XML file should be in conformance to
-the pwmd DTD (see Introduction). You will be prompted for
+
Imports the XML filename. When filename is - the
+XML is read from stdin. The XML file should be in conformance to
+the pwmd DTD (see Introduction). You will be prompted for
 a passphrase to encrypt with.  The output is written to the filename specified
 with --outfile. To make use of the imported data, place the output
 file in ~/.pwmd/data.
@@ -304,14 +304,14 @@ file in ~/.pwmd/data.
 

 
--output, -o filename|-

 
When importing, write the encrypted data file to filename. When
-filename is - output will be written to stdout.
+filename is - output will be written to stdout.
 

 

 
--passphrase-file, -k filename"

 
Obtain the passphrase to use when importing from the specified filename.
 

 

-
--keyid fingerprint[,fingerprint]

+
--keyid fingerprint[,fingerprint,...]

 
Specifies the fingerprint of the encryption key to use as a recipient when
 importing. When not specified a new key-pair will be created.
 

@@ -358,9 +358,9 @@ protocol commands (see Commands). This overrides any
 
Run as a foreground process and do not fork into the background.
 

 

-
--ignore, --force

+
--force

 
Ignore cache pushing failures on startup. By default, pwmd will exit
-if an error occurred do to an invalid passphrase or other error.
+if an error occurred due to an invalid passphrase or other error.
 

 

 
--version

@@ -419,7 +419,7 @@ connections will be refused. The default is 128.
 
invoking_user = [-!]user,[-!]@group,[-!]#SHA-256,...

 
This parameter is not to be confused with setuid or setguid upon startup. It’s
 syntax is the same as the allowed parameter except that it is a list of
-local usernames, group names and TLS fingerprint hashes that may use the
+local usernames, group names and TLS fingerprint hashes that may use the
 XPATH, XPATHATTR and DUMP commands (except when
 disabled with the disable_list_and_dump option) and also who may modify
 elements that have no _acl attribute or is not listed in an
@@ -443,13 +443,13 @@ is not an invoking_user. The default is false.
 

 
strict_kill = boolean

 
When false, the KILL command (see KILL) will allow killing
-another client that is not of the same UID or TLS fingerprint of
+another client that is not of the same UID or TLS fingerprint of
 the current client and when not an invoking_user. The default us
 false.
 

 

 
allowed = [-!]user,[-!]@group,/path/to/exec,[+,][-!]#SHA-256,...

-
A comma separated list of local user names, group names or TLS
+
A comma separated list of local user names, group names or TLS
 fingerprint SHA-256 hashes (in the case of a remote client) who are
 allowed to connect.  Groups should be prefixed with a ‘@’. When not
 specified only the user who started pwmd may connect. A username,
@@ -460,7 +460,7 @@ important since a user may be a member of multiple groups.
 
Connections from local clients may also be limited by command name. A command
 name is the full path to the execuatble on the filesystem. The command check
 is done after all other user and group name checks. When no command is
-specified all commands are valid. When the connecting client is not of the
+specified all commands are allowed. When the connecting client is not of the
 same UID as the user that invoked pwmd this feature is
 ignored.
 

@@ -472,7 +472,7 @@ can connect may also open any filename (provided they can decrypt it).
 

 
The following example would deny all users in group primary but
 allow username who may be a member of primary. It will also
-allow any TLS client except for the client with TLS fingerprint hash
+allow any TLS client except for the client with TLS fingerprint hash
 #ABCDEF. For the local connections, the connecting client must be using
 the /usr/bin/pwmc program:
 

@@ -551,25 +551,24 @@ The default is 0.
 

 

 
disable_list_and_dump = boolean

-
When true, the XPATH, XPATHATTR, LIST and
+
When true the XPATH, XPATHATTR, LIST and
 DUMP protocol commands (see Commands) will be disabled.
 

 

 
cache_push = file1,file2

-
A comma separated list of filenames that will be pushed into the file cache
-upon startup. pwmd will prompt for the passphrase for each file
-unless specified with passphrase_file parameter in a matching file
-section.
+
A comma separated list of filenames to be cached upon startup. pwmd
+will prompt for the passphrase for each file unless specified with
+passphrase_file parameter in a matching file section.
 

 

 
priority = integer

-
The priority, or niceness, of the server. The default is inherited from the
+
The priority or niceness of the server. The default is inherited from the
 parent process.
 

 

 
lock_timeout = integer

-
The default timeout in tenths of a second before giving up waiting for a file
-lock and returning an error. The default is 50.
+
The default timeout in tenths of a second before giving up while waiting for a
+file lock and returning an error. The default is 50.
 

 

 
@@ -636,7 +635,8 @@ connect.
 Next: , Previous: , Up: Configuration   [Contents]

 

 
6 Configuring remote connections over TLS.

-
Remote connections can also be made to pwmd over TLS.
+
In addition to connecting to pwmd via a Unix Domain Socket, remote
+connections can also be made to pwmd over TLS.
 Authentication is done by using X.509 client certificates that are signed with
 the same Certificate Authority (CA) as the server certificate.
 

@@ -648,17 +648,17 @@ file should be put in ~/.pwmd/server-cert.pem and
 
See the documentation of certtool or openssl for details
 about creating self-signed certificates.
 

-
The following TLS configuration options are available:
+
The following TLS configuration options are available:
 

 

 
enable_tcp = boolean

-
Whether to enable TCP/TLS server support. If enabled, both TCP and the local
+
Whether to enable TCP/TLS server support. If enabled, both TCP and the local
 unix domain socket will listen for connections. The default is
 false.
 

 

 
tcp_port = integer

-
The TCP port to listen on when enable_tcp is true. The default is
+
The TCP port to listen on when enable_tcp is true. The default is
 6466.
 

 

@@ -674,7 +674,7 @@ or any to listen for both IPv4 and IPv6 connections. The default is
 
 
tls_timeout = seconds

 
The number of seconds to wait for a read() or write() call on a
-TLS client file descriptor to complete before returning an
+TLS client file descriptor to complete before returning an
 error. The default is 300.
 

 

@@ -704,7 +704,7 @@ then DH algorithms will not be available to the client. See the
 openssl dhparam or certtool manual pages for details about
 generating this file.
 

-
Note that SIGHUP will not reload this file once TLS support has been enabled.
+
Note that SIGHUP will not reload this file once TLS support has been enabled.
 You will need to restart pwmd for changes to take effect.
 

 
@@ -726,7 +726,7 @@ Next: , Previous: The pinentry program is used to prompt the user for passphrase
 input or as a confirmation dialog; it needs to know where to prompt for
-the input, beit from a terminal or an X11 display.
+the input; from a terminal or an X11 display.
 

 
It is the responsibility of the client to tell pinentry about the
 terminal or X11 display before requiring the input. This is done with the
@@ -1241,7 +1241,7 @@ element path contained in a target attribute could not be found. Flag
 then an element path, is the element path of the target attribute 
 contained in the current element.
 


-When a specified element path contains an error, beit from the final 
+When a specified element path contains an error either from the final 
 element in the path or any previous element, the path is still shown but 
 will contain the error flag for the element with the error. Determining 
 the actual element which contains the error is up to the client. This can be 
@@ -1444,8 +1444,8 @@ Next: , Previous: 

 
 
Changes the passphrase of the secret key required to open the current 
-data file. If the data file is symmetrically encrypted, the error 
-GPG_ERR_NOT_SUPPORTED is returned. When symmetrically encrypted, 
+data file. If the data file is symmetrically encrypted the error 
+GPG_ERR_NOT_SUPPORTED is returned. When symmetrically encrypted 
 the SAVE command (see SAVE) should be used instead to prevent 
 this command saving any unwanted changes to the XML document.
 


@@ -1528,9 +1528,9 @@ Next: , Previous: OPEN).
 


-If the file is a new one, one of --symmetric, --keyid or
---inquire-keyid is required. When not --symmetric, option 
---sign-keyid is also required, but optional otherwise.
+If the file is a new one one of --symmetric, --keyid or
+--inquire-keyid is required. When not --symmetric the 
+option --sign-keyid is also required but optional otherwise.
 


 You can encrypt the data file to a recipient other than the one that it 
 was originally encrypted with by passing the --keyid or 
@@ -1636,7 +1636,7 @@ elements in XML format.
 When the --inquire option is passed then all remaining non-option 
 arguments are retrieved via a server INQUIRE.
 


-See http://www.w3schools.com/xpath/xpath_syntax.asp for XPATH 
+See https://www.w3schools.com/xml/xpath_intro.asp for XPATH 
 expression syntax.
 

 
@@ -1667,7 +1667,7 @@ found in the document. The attribute value will be empty but still exist.
 When the --inquire option is passed then all remaining non-option 
 arguments are retrieved via a server INQUIRE.
 


-See http://www.w3schools.com/xpath/xpath_syntax.asp for XPATH 
+See https://www.w3schools.com/xml/xpath_intro.asp for XPATH 
 expression syntax.
 

 
@@ -1814,7 +1814,7 @@ expiry will be.
 <flags> ...Forwarded from GpgME. Contains information that is useful in a
 pinentry. Only sent when pinentry is disabled (see OPTION).
 REHANDSHAKE
-Sent to each TLS client just before performing a cipher renegotiation
+Sent to each TLS client just before performing a cipher renegotiation
 after a SIGHUP signal was received.
 BULK
 BEGIN|END <command id>Sent to the current client before and after the BULK command
@@ -1833,7 +1833,7 @@ Next: ,
 when found in each element of an element path. This attribute, like other
 element attributes, is created or modified with the ATTR command
 (see ATTR). The value of this attribute is an existing element path
-somewhere in the document.  If you are familiar with XML entities or
+somewhere in the document.  If you are familiar with XML entities or
 maybe the HTML id or _target attributes or a symbolic link
 in a file-system, you may find this attribute behaves similar to any of those.
 

diff --git a/doc/pwmd.texi b/doc/pwmd.texi
index cca1c031..151810bf 100644
--- a/doc/pwmd.texi
+++ b/doc/pwmd.texi
@@ -66,21 +66,20 @@ their syntax.
 
 @mansect description
 @dfn{Password Manager Daemon} (or @command{pwmd}) is a server that
-applications connect to and send commands to put and get data
-that is stored in an OpenPGP encrypted XML document. It mimics a
-filesystem in a lot of ways including per element ACL's, but also has
-the advantage of remote connections over TLS and a document cache. The
-document cache is needed for a data file encrypted with keys stored on a
-smartcard.
+applications connect to and send commands to put and get data that is stored
+in an OpenPGP encrypted @acronym{XML} document. It mimics a filesystem in a
+lot of ways including per element @acronym{ACL}'s, but also has the advantage
+of remote connections over @acronym{TLS} and a document cache. The document cache is
+needed for a data file encrypted with secret keys stored on a smartcard.
 
 The server uses the Assuan protocol (@inforef{Implementation,,assuan}) which
-is the same used by @command{gpg-agent}, @command{pinentry} and
-@command{scdaemon}. It also uses @cite{libgpg-error} for error reporting with
-@var{GPG_ERR_SOURCE_USER_1} being the error source.
+is the same used by @command{gpg-agent}, @command{pinentry}, @command{gpgme}
+and @command{scdaemon}. It also uses @cite{libgpg-error} for error reporting
+with @var{GPG_ERR_SOURCE_USER_1} being the error source.
 @ifset isman
 .P
 You can import an existing @command{pwmd} version @var{3.0.x} data file by
-dumping the raw XML data with
+dumping the raw @acronym{XML} data with
 .BR pwmd-dump(1)
 to a file, then
 importing that file by using @command{pwmd}'s @option{--import} command line
@@ -95,7 +94,7 @@ found here.
 @end ifset
 @manpause
 
-The XML document uses the following DTD:
+The @acronym{XML} document uses the following @acronym{DTD}:
 
 @example
     
@@ -108,10 +107,10 @@ The XML document uses the following DTD:
 The @code{pwmd} element is the document root node while all other elements
 of the document have the name @code{element} with an attribute @code{_name}
 whose value uniquely identifies the element at the current element tree depth.
-It is done this way to avoid XML parsing errors for commonly used
-characters.  A URL for example would be an invalid XML element
-since the URI contains a @samp{:} which is also the XML
-namespace separator.
+It is done this way to avoid @acronym{XML} parsing errors for commonly used
+characters.  A @acronym{URL} for example would be an invalid @acronym{XML}
+element since the @acronym{URI} contains a @samp{:} which is also the
+@acronym{XML} namespace separator.
 
 As mentioned, an element name must be unique for the current element tree
 depth. You cannot have two elements containing the same @code{_name} attribute
@@ -121,7 +120,8 @@ element path beginning at the child node of the matched element.
 
 An @emph{element path} is a @code{TAB} delimited character string where each
 @code{TAB} separates each element in the path.  For example, the element path
-@code{a@code{TAB}b@code{TAB}c} has the following XML document structure:
+@code{a@code{TAB}b@code{TAB}c} has the following @acronym{XML} document
+structure:
 
 @example
 	
@@ -142,18 +142,18 @@ characters.
 @node Access Control, Cache Control, Introduction, Top 
 @chapter Access Control
 
-Like a filesystem has an ACL to grant or limit access to directories or
-files for a specific user or group, @command{pwmd} can limit a local user,
-group or a TLS connection to a specific element path. This is done by
-storing an ACL in the element attribute @var{_acl}. Its syntax is
+Like a filesystem has an @acronym{ACL} to grant or limit access to directories
+or files for a specific user or group, @command{pwmd} can limit a local user,
+group or a @acronym{TLS} connection to a specific element path. This is done
+by storing an @acronym{ACL} in the element attribute @var{_acl}. Its syntax is
 similar to the @var{allowed} configuration parameter (@pxref{Configuration})
-with the exception that a TLS fingerprint hash is prefixed with a
+with the exception that a @acronym{TLS} fingerprint hash is prefixed with a
 @code{#}.
 
-Access is denied for all users that are not in the ACL of an element
+Access is denied for any user that is not in the @acronym{ACL} of an element
 with the exception of an invoking user (see the @var{invoking_user}). The
-connected client must be in the ACL for each element in an element path
-otherwise an error is returned.  As an example:
+connected client must be in the @acronym{ACL} for each element in an element
+path otherwise an error is returned.  As an example:
 
 @example
 
@@ -164,13 +164,13 @@ otherwise an error is returned.  As an example:
 The user @code{username} would be allowed access to the @code{test} element
 but not if it is a member of the @code{wheel} group although, the @code{root}
 user, who may be a member of the @code{wheel} group, is allowed. The SHA-256
-TLS fingerprint hash @code{#ABCDEF} is also allowed.  No users other than an
+@acronym{TLS} fingerprint hash @code{#ABCDEF} is also allowed.  No users other than an
 @var{invoking_user} are allowed access to the @code{child} element.
 
-The first user listed in the ACL is considered the owner of the
+The first user listed in the @acronym{ACL} is considered the owner of the
 element. This determines which clients may modify an @var{_acl} attribute and
 store content for an element. An @var{invoking_user} may always modify an 
-ACL.
+@acronym{ACL}.
 
 @c    Node,     Next,    Previous, Up 
 @node Cache Control, Invoking, Access Control, Top 
@@ -178,13 +178,13 @@ ACL.
 
 @mancont
 @mansect cache notes
-While @command{pwmd} has its own cache settings for an XML document,
+While @command{pwmd} has its own cache settings for an @acronym{XML} document,
 @command{gpg-agent} has cache settings for the keys used for crypto operations
 of a data file. Specifically the @option{ignore-cache-for-signing},
 @option{default-cache-ttl} and @option{max-cache-ttl} options. These
 @command{gpg-agent} options may need to be adjusted depending on your usage
 needs. For example, the @code{OPEN} command may not require a passphrase to
-open a data file do to the gpg-agent having a cached key even though the
+open a data file due to the gpg-agent having a cached key even though the
 @code{ISCACHED} command returns an error indicating the data file is not
 cached; which usually means a passphrase would be required. Keys for symmetric
 data files are never kept in the @command{gpg-agent} cache regardless of
@@ -193,7 +193,7 @@ data files are never kept in the @command{gpg-agent} cache regardless of
 A copy-on-write operation is done for commands that modify the document; the
 client that invoked the command will work on a copy of the in-memory document.
 The first client to @code{SAVE} the changes to disk will require other clients
-to reopen the data file do to the checksum being updated.
+to reopen the data file due to the checksum being updated.
 
 @c    Node,     Next,    Previous, Up 
 @node Invoking, Configuration, Cache Control, Top 
@@ -273,21 +273,21 @@ Terminate an existing instance of pwmd. The process to terminate is determined
 from the @option{--homedir} and @option{--rcfile} options.
 
 @item --import, -I filename|-
-Imports the XML @var{filename}. When @var{filename} is @code{-} the
-XML is read from stdin. The XML file should be in conformance to
-the @command{pwmd} DTD (@pxref{Introduction}). You will be prompted for
+Imports the @acronym{XML} @var{filename}. When @var{filename} is @code{-} the
+@acronym{XML} is read from @code{stdin}. The @acronym{XML} file should be in conformance to
+the @command{pwmd} @acronym{DTD} (@pxref{Introduction}). You will be prompted for
 a passphrase to encrypt with.  The output is written to the filename specified
 with @option{--outfile}. To make use of the imported data, place the output
 file in @file{~/.pwmd/data}.
 
 @item --output, -o filename|-
 When importing, write the encrypted data file to @var{filename}. When
-@var{filename} is @code{-} output will be written to stdout.
+@var{filename} is @code{-} output will be written to @code{stdout}.
 
 @item --passphrase-file, -k filename"
 Obtain the passphrase to use when importing from the specified @var{filename}.
 
-@item --keyid fingerprint[,fingerprint]
+@item --keyid fingerprint[,fingerprint,...]
 Specifies the fingerprint of the encryption key to use as a recipient when
 importing. When not specified a new key-pair will be created.
 
@@ -325,9 +325,9 @@ protocol commands (@pxref{Commands}). This overrides any
 @item --no-fork, -n
 Run as a foreground process and do not fork into the background.
 
-@item --ignore, --force
+@item --force
 Ignore cache pushing failures on startup. By default, @command{pwmd} will exit
-if an error occurred do to an invalid passphrase or other error.
+if an error occurred due to an invalid passphrase or other error.
 
 @item --version
 Show the version, copyright and compile time features and exit.
@@ -377,7 +377,7 @@ connections will be refused. The default is @code{128}.
 @item invoking_user = [-!]user,[-!]@@group,[-!]#SHA-256,...
 This parameter is not to be confused with setuid or setguid upon startup. It's
 syntax is the same as the @code{allowed} parameter except that it is a list of
-local usernames, group names and TLS fingerprint hashes that may use the
+local usernames, group names and @acronym{TLS} fingerprint hashes that may use the
 @command{XPATH}, @command{XPATHATTR} and @command{DUMP} commands (except when
 disabled with the @code{disable_list_and_dump} option) and also who may modify
 elements that have no @code{_acl} attribute or is not listed in an
@@ -398,12 +398,12 @@ is not an @code{invoking_user}. The default is @code{false}.
 
 @item strict_kill = boolean
 When @code{false}, the @code{KILL} command (@pxref{KILL}) will allow killing
-another client that is not of the same @code{UID} or TLS fingerprint of
+another client that is not of the same @code{UID} or @acronym{TLS} fingerprint of
 the current client and when not an @code{invoking_user}. The default us
 @code{false}.
 
 @item allowed = [-!]user,[-!]@@group,/path/to/exec,[+,][-!]#SHA-256,...
-A comma separated list of local user names, group names or TLS
+A comma separated list of local user names, group names or @acronym{TLS}
 fingerprint SHA-256 hashes (in the case of a remote client) who are
 allowed to connect.  Groups should be prefixed with a @samp{@@}. When not
 specified only the user who started @command{pwmd} may connect. A username,
@@ -414,7 +414,7 @@ important since a user may be a member of multiple groups.
 Connections from local clients may also be limited by command name. A command
 name is the full path to the execuatble on the filesystem. The command check
 is done after all other user and group name checks. When no command is
-specified all commands are valid. When the connecting client is not of the
+specified all commands are allowed. When the connecting client is not of the
 same @acronym{UID} as the user that invoked @command{pwmd} this feature is
 ignored.
 
@@ -426,7 +426,7 @@ can connect may also open any filename (provided they can decrypt it).
 
 The following example would deny all users in group @code{primary} but
 allow @code{username} who may be a member of @code{primary}. It will also
-allow any TLS client except for the client with TLS fingerprint hash
+allow any @acronym{TLS} client except for the client with @acronym{TLS} fingerprint hash
 @code{#ABCDEF}. For the local connections, the connecting client must be using
 the /usr/bin/pwmc program:
 
@@ -493,22 +493,21 @@ Attempt to kill @command{scdaemon} after a client disconnects.  The default is
 @code{false}.
 
 @item disable_list_and_dump = boolean
-When @code{true}, the @code{XPATH}, @code{XPATHATTR}, @code{LIST} and
+When @code{true} the @code{XPATH}, @code{XPATHATTR}, @code{LIST} and
 @code{DUMP} protocol commands (@pxref{Commands}) will be disabled.
 
 @item cache_push = file1,file2
-A comma separated list of filenames that will be pushed into the file cache
-upon startup. @command{pwmd} will prompt for the passphrase for each file
-unless specified with @var{passphrase_file} parameter in a matching file
-section.
+A comma separated list of filenames to be cached upon startup. @command{pwmd}
+will prompt for the passphrase for each file unless specified with
+@var{passphrase_file} parameter in a matching file section.
 
 @item priority = integer
-The priority, or niceness, of the server. The default is inherited from the
+The priority or niceness of the server. The default is inherited from the
 parent process.
 
 @item lock_timeout = integer
-The default timeout in tenths of a second before giving up waiting for a file
-lock and returning an error. The default is @code{50}.
+The default timeout in tenths of a second before giving up while waiting for a
+file lock and returning an error. The default is @code{50}.
 
 @end table
 
@@ -568,7 +567,8 @@ connect.
 @ifset manverb
 .P
 @end ifset
-Remote connections can also be made to @command{pwmd} over TLS.
+In addition to connecting to @command{pwmd} via a Unix Domain Socket, remote
+connections can also be made to @command{pwmd} over @acronym{TLS}.
 Authentication is done by using X.509 client certificates that are signed with
 the same Certificate Authority (CA) as the server certificate.
 
@@ -580,16 +580,16 @@ file should be put in @file{~/.pwmd/server-cert.pem} and
 See the documentation of @command{certtool} or @command{openssl} for details
 about creating self-signed certificates.
 
-The following TLS configuration options are available:
+The following @acronym{TLS} configuration options are available:
 
 @table @samp 
 @item enable_tcp = boolean
-Whether to enable TCP/TLS server support. If enabled, both TCP and the local
+Whether to enable @acronym{TCP}/@acronym{TLS} server support. If enabled, both @acronym{TCP} and the local
 unix domain socket will listen for connections. The default is
 @code{false}.
 
 @item tcp_port = integer
-The TCP port to listen on when @var{enable_tcp} is @code{true}. The default is
+The @acronym{TCP} port to listen on when @var{enable_tcp} is @code{true}. The default is
 @code{6466}.
 
 @item tcp_bind = string
@@ -602,7 +602,7 @@ Only useful if running as root.
 
 @item tls_timeout = seconds
 The number of seconds to wait for a read() or write() call on a
-TLS client file descriptor to complete before returning an
+@acronym{TLS} client file descriptor to complete before returning an
 error. The default is @var{300}.
 
 @item keepalive_interval = seconds
@@ -628,7 +628,7 @@ then DH algorithms will not be available to the client. See the
 @command{openssl dhparam} or @command{certtool} manual pages for details about
 generating this file.
 
-Note that SIGHUP will not reload this file once TLS support has been enabled.
+Note that SIGHUP will not reload this file once @acronym{TLS} support has been enabled.
 You will need to restart @command{pwmd} for changes to take effect.
 
 @item tls_use_crl = boolean
@@ -644,7 +644,7 @@ file.
 @mansect Pinentry
 The @command{pinentry} program is used to prompt the user for passphrase
 input or as a confirmation dialog; it needs to know where to prompt for
-the input, beit from a terminal or an X11 display.
+the input; from a terminal or an X11 display.
 
 It is the responsibility of the client to tell @command{pinentry} about the
 terminal or X11 display before requiring the input. This is done with the
@@ -840,7 +840,7 @@ expiry will be.
 @item REHANDSHAKE
 @cindex REHANDSHAKE
 @tab
-@tab Sent to each TLS client just before performing a cipher renegotiation
+@tab Sent to each @acronym{TLS} client just before performing a cipher renegotiation
 after a SIGHUP signal was received.
 
 @item BULK
@@ -859,7 +859,7 @@ A @emph{case sensitive} attribute named @code{_target} is treated specially
 when found in each element of an element path. This attribute, like other
 element attributes, is created or modified with the @code{ATTR} command
 (@pxref{ATTR}). The value of this attribute is an existing element path
-somewhere in the document.  If you are familiar with XML entities or
+somewhere in the document.  If you are familiar with @acronym{XML} entities or
 maybe the HTML @code{id} or @code{_target} attributes or a symbolic link
 in a file-system, you may find this attribute behaves similar to any of those.
 
diff --git a/src/commands.c b/src/commands.c
index 90242851..244fa617 100644
--- a/src/commands.c
+++ b/src/commands.c
@@ -5230,8 +5230,8 @@ init_commands ()
     new_command("PASSWD", 1, 0, 0, FLOCK_TYPE_EX|FLOCK_TYPE_KEEP, passwd_command, _(
 "PASSWD\n" /* Changing the passphrase for a key. */
 "Changes the passphrase of the secret key required to open the current "
-"data file. If the data file is symmetrically encrypted, the error "
-"@code{GPG_ERR_NOT_SUPPORTED} is returned. When symmetrically encrypted, "
+"data file. If the data file is symmetrically encrypted the error "
+"@code{GPG_ERR_NOT_SUPPORTED} is returned. When symmetrically encrypted "
 "the @code{SAVE} command (@pxref{SAVE}) should be used instead to prevent "
 "this command saving any unwanted changes to the @abbr{XML} document."
 "@*@*"
@@ -5276,9 +5276,9 @@ init_commands ()
 "Writes the in-memory @abbr{XML} document to disk. The file written to is the "
 "file that was opened when using the @code{OPEN} command (@pxref{OPEN})."
 "@*@*"
-"If the file is a new one, one of @option{--symmetric}, @option{--keyid} or"
-"@option{--inquire-keyid} is required. When not @option{--symmetric}, option "
-"@option{--sign-keyid} is also required, but optional otherwise."
+"If the file is a new one one of @option{--symmetric}, @option{--keyid} or"
+"@option{--inquire-keyid} is required. When not @option{--symmetric} the "
+"option @option{--sign-keyid} is also required but optional otherwise."
 "@*@*"
 "You can encrypt the data file to a recipient other than the one that it "
 "was originally encrypted with by passing the @option{--keyid} or "
@@ -5370,7 +5370,7 @@ init_commands ()
 "then an element path, is the element path of the @var{target} attribute "
 "contained in the current element."
 "@*@*"
-"When a specified element path contains an error, beit from the final "
+"When a specified element path contains an error either from the final "
 "element in the path or any previous element, the path is still shown but "
 "will contain the error flag for the element with the error. Determining "
 "the actual element which contains the error is up to the client. This can be "
@@ -5514,7 +5514,7 @@ init_commands ()
 "When the @option{--inquire} option is passed then all remaining non-option "
 "arguments are retrieved via a server @emph{INQUIRE}."
 "@*@*"
-"See @url{http://www.w3schools.com/xpath/xpath_syntax.asp} for @abbr{XPATH} "
+"See @url{https://www.w3schools.com/xml/xpath_intro.asp} for @abbr{XPATH} "
 "expression syntax."
 ));
 
@@ -5535,7 +5535,7 @@ init_commands ()
 "When the @option{--inquire} option is passed then all remaining non-option "
 "arguments are retrieved via a server @emph{INQUIRE}."
 "@*@*"
-"See @url{http://www.w3schools.com/xpath/xpath_syntax.asp} for @abbr{XPATH} "
+"See @url{https://www.w3schools.com/xml/xpath_intro.asp} for @abbr{XPATH} "
 "expression syntax."
 ));
 
-- 
2.11.4.GIT