Mention noexec

diff --git a/sudo.man.in b/sudo.man.in
index e0be23bb3621af6e9871b28e237b8a97c4a76da1..46961614e8f6a329f0e70ee62d91fce1cfe85b32 100644 (file)
--- a/sudo.man.in
+++ b/sudo.man.in
@@ -30,13 +30,13 @@
 .\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 .\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
+.\" 
 .\" Sponsored in part by the Defense Advanced Research Projects
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\" 
 .\" $Sudo$
-.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.13
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -167,7 +167,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "March 13, 2003" "1.6.7" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "January  9, 2004" "1.6.8" "MAINTENANCE COMMANDS"
 .SH "NAME"
 sudo \- execute a command as another user
 .SH "SYNOPSIS"
@@ -498,8 +498,12 @@ and fitness for a particular purpose are disclaimed.
 See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details.
 .SH "CAVEATS"
 .IX Header "CAVEATS"
-There is no easy way to prevent a user from gaining a root shell if
-that user has access to commands allowing shell escapes.
+There is no easy way to prevent a user from gaining a root shell
+if that user is allowed to run arbitrary commands via \fBsudo\fR.
+Also, many programs (such as editors) allow the user to run commands
+via shell escapes, thus avoiding \fBsudo\fR's checks.  However, on
+most systems it is possible to prevent shell escapes with \fBsudo\fR's
+\&\fInoexec\fR functionality.  See the \fIsudoers\fR\|(@mansectform@) manual for details.
 .PP
 If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from creating
 their own program that gives them a root shell regardless of any '!'

diff --git a/sudo.pod b/sudo.pod
index a6256daf143705f945f1b865cb03907e8e2d445a..b93876c699380417b4aa58ec3373dd5b63f3440f 100644 (file)
--- a/sudo.pod
+++ b/sudo.pod
@@ -388,8 +388,12 @@ See the LICENSE file distributed with B<sudo> for complete details.
 
 =head1 CAVEATS
 
-There is no easy way to prevent a user from gaining a root shell if
-that user has access to commands allowing shell escapes.
+There is no easy way to prevent a user from gaining a root shell
+if that user is allowed to run arbitrary commands via B<sudo>.
+Also, many programs (such as editors) allow the user to run commands
+via shell escapes, thus avoiding B<sudo>'s checks.  However, on
+most systems it is possible to prevent shell escapes with B<sudo>'s
+I<noexec> functionality.  See the sudoers(5) manual for details.
 
 If users have sudo C<ALL> there is nothing to prevent them from creating
 their own program that gives them a root shell regardless of any '!'