From dec7718878f8a4566cd2894ab8970e1bec19dbb9 Mon Sep 17 00:00:00 2001
From: Andrei Borzenkov <arvidjaar@gmail.com>
Date: Sat, 30 May 2015 19:36:41 +0300
Subject: [PATCH] Clarify use of superusers variable and menu entry access

superusers controls both CLI and editing. Also explicitly mention that
empty superusers disables them.

"Access to menuentry" is a bit vague - change to "execute menuentry"
to make it obvious, what access is granted.
---
 docs/grub.texi | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index 88bd75f38..b9f41a73e 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -5428,10 +5428,12 @@ In order to enable authentication support, the @samp{superusers} environment
 variable must be set to a list of usernames, separated by any of spaces,
 commas, semicolons, pipes, or ampersands.  Superusers are permitted to use
 the GRUB command line, edit menu entries, and execute any menu entry.  If
-@samp{superusers} is set, then use of the command line is automatically
-restricted to superusers.
+@samp{superusers} is set, then use of the command line and editing of menu
+entries are automatically restricted to superusers. Setting @samp{superusers}
+to empty string effectively disables both access to CLI and editing of menu
+entries.
 
-Other users may be given access to specific menu entries by giving a list of
+Other users may be allowed to execute specific menu entries by giving a list of
 usernames (as above) using the @option{--users} option to the
 @samp{menuentry} command (@pxref{menuentry}).  If the @option{--unrestricted}
 option is used for a menu entry, then that entry is unrestricted.