Mention PREVENTING SHELL ESCAPES section of sudoers man page

2025-08-29 05:17:54 +00:00 · 2004-09-27 18:05:58 +00:00 · 2004-09-27 18:05:58 +00:00 · a79c3af487
commit a79c3af487
parent 741177ad12
1 changed files with 10 additions and 8 deletions
--- a/sudo.pod
+++ b/sudo.pod
@ -359,14 +359,16 @@ will be ignored and sudo will log and complain.  This is done to
 keep a user from creating his/her own timestamp with a bogus
 date on systems that allow users to give away files.

-Please note that B<sudo> will only log the command it explicitly
-runs.  If a user runs a command such as C<sudo su> or C<sudo sh>,
-subsequent commands run from that shell will I<not> be logged, nor
-will B<sudo>'s access control affect them.  The same is true for
-commands that offer shell escapes (including most editors).  Because
-of this, care must be taken when giving users access to commands
-via B<sudo> to verify that the command does not inadvertently give
-the user an effective root shell.
+Please note that B<sudo> will normally only log the command it
+explicitly runs.  If a user runs a command such as C<sudo su> or
+C<sudo sh>, subsequent commands run from that shell will I<not> be
+logged, nor will B<sudo>'s access control affect them.  The same
+is true for commands that offer shell escapes (including most
+editors).  Because of this, care must be taken when giving users
+access to commands via B<sudo> to verify that the command does not
+inadvertently give the user an effective root shell.  For more
+information, please see the C<PREVENTING SHELL ESCAPES> section in
+L<sudoers(@mansectform@)>.

 =head1 ENVIRONMENT