Mention PREVENTING SHELL ESCAPES section of sudoers man page

sudo.pod

@@ -359,14 +359,16 @@ will be ignored and sudo will log and complain.  This is done to
 keep a user from creating his/her own timestamp with a bogus
 date on systems that allow users to give away files.
 
-Please note that B<sudo> will only log the command it explicitly
+Please note that B<sudo> will normally only log the command it
-runs.  If a user runs a command such as C<sudo su> or C<sudo sh>,
+explicitly runs.  If a user runs a command such as C<sudo su> or
-subsequent commands run from that shell will I<not> be logged, nor
+C<sudo sh>, subsequent commands run from that shell will I<not> be
-will B<sudo>'s access control affect them.  The same is true for
+logged, nor will B<sudo>'s access control affect them.  The same
-commands that offer shell escapes (including most editors).  Because
+is true for commands that offer shell escapes (including most
-of this, care must be taken when giving users access to commands
+editors).  Because of this, care must be taken when giving users
-via B<sudo> to verify that the command does not inadvertently give
+access to commands via B<sudo> to verify that the command does not
-the user an effective root shell.
+inadvertently give the user an effective root shell.  For more
+information, please see the C<PREVENTING SHELL ESCAPES> section in
+L<sudoers(@mansectform@)>.
 
 =head1 ENVIRONMENT