--- -	2009-08-21 15:37:14 +0400
+++ consolehelper.8	2009-08-21 15:35:33 +0400
@@ -43,6 +43,8 @@
 .I /usr/lib/consolehelper/priv/auth
 privileged helper program to do the real work.)
 
+.SH MAKING YOUR PROGRAM MANAGED
+
 .B consolehelper
 requires that a PAM configuration for every managed program
 exist.  So to make /sbin/\fIfoo\fP or /usr/sbin/\fIfoo\fP managed, you
@@ -51,6 +53,18 @@
 and create the file /etc/pam.d/\fIfoo\fP, normally using the
 .IR pam_console (8)
 PAM module.
+
+For obscure reasons, the file /etc/security/console.apps/\fIfoo\fP
+is also required to exist, with the following contents:
+
+   USER=\fIroot\fP
+   PROGRAM=/sbin/\fIfoo\fP
+   SESSION=true
+
+USER is the user to run the program as (normally \fBroot\fP).
+PROGRAM is the full path to the program. SESSION is always \fItrue\fP;
+leave it that way.
+
 .SH OPTIONS
 This program has no command line options of its own; it passes all
 command line options on to the program it is calling.