--- gvpe/doc/gvpe.conf.5.pod	2011/03/06 19:40:27	1.28
+++ gvpe/doc/gvpe.conf.5.pod	2012/12/04 10:29:43	1.29
@@ -100,6 +100,32 @@
 
 =over 4
 
+=item chroot = path or /
+
+Tells GVPE to chroot(2) to the specified path after reading all necessary
+files, binding to sockets and running the C<if-up> script, but before
+running C<node-up> or any other scripts.
+
+The special path F</> instructs GVPE to create (and remove) an empty
+temporary directory to use as new root. This is most secure, but makes it
+impossible to use any scripts other than the C<if-up> one.
+
+=item chuid = numerical-uid
+
+=item chgid = numerical-gid
+
+These two options tell GVPE to change to the given user and/or group id
+after reading all necessary files, binding to sockets and running the
+C<if-up> script.
+
+Other scripts, such as C<node-up>, are run with the new user id or group id.
+
+=item chuser = username
+
+Alternative to C<chuid> and C<chgid>: Sets both C<chuid> and C<chgid>
+to the user and (primary) group ids of the specified user (for example,
+C<nobody>).
+
 =item dns-forw-host = hostname/ip
 
 The DNS server to forward DNS requests to for the DNS tunnel protocol
@@ -326,7 +352,7 @@
 
 Sets the keepalive probe interval in seconds (default: C<60>). After this
 many seconds of inactivity the daemon will start to send keepalive probe
-every 3 seconds until it receives a reply from the other end.  If no reply
+every 3 seconds until it receives a reply from the other end. If no reply
 is received within 15 seconds, the peer is considered unreachable and the
 connection is closed.