Try to improve the PAGERS noexec example a bit.

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 661be62886f62ef5c07fb57c8af19467a7858e55..cd213e84b1826a46139ea6c2c87ea7fa1da09b1e 100644 (file)
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -1920,7 +1920,8 @@ E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
      file and make sure we log the year in each log line since the log entries
      will be kept around for several years.  Lastly, we disable shell escapes
      for the commands in the PAGERS Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and
-     _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
+     _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).  Note that this will not effectively constrain users with
+     s\bsu\bud\bdo\bo A\bAL\bLL\bL privileges.
 
      # Override built-in defaults
      Defaults                syslog=auth
@@ -2025,7 +2026,9 @@ E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
 
      For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
      the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU and
-     _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
+     _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.  While not specifically mentioned in the rule, the
+     commands in the _\bP_\bA_\bG_\bE_\bR_\bS Cmnd_Alias all reside in _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and have the
+     _\bn_\bo_\be_\bx_\be_\bc option set.
 
      steve           CSNETS = (operator) /usr/local/op_commands/
 
@@ -2269,4 +2272,4 @@ D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
      file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
      complete details.
 
-Sudo 1.8.8                      August 6, 2013                      Sudo 1.8.8
+Sudo 1.8.8                      August 31, 2013                     Sudo 1.8.8

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 28581db28a55a2ef4315109374557a1ad088b6b1..ddbb8dab89b859a6ad69749d55b0dd85b3d62027 100644 (file)
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "@mansectsu@" "August 6, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
+.TH "SUDOERS" "@mansectsu@" "August 31, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -3884,6 +3884,10 @@ Lastly, we disable shell escapes for the commands in the PAGERS
 and
 \fI/usr/bin/less\fR)
 \&.
+Note that this will not effectively constrain users with
+\fBsudo\fR
+\fBALL\fR
+privileges.
 .nf
 .sp
 .RS 0n
@@ -4157,6 +4161,14 @@ belonging to the
 and
 \fISHELLS\fR
 \fRCmnd_Aliases\fR.
+While not specifically mentioned in the rule, the commands in the
+\fIPAGERS\fR
+\fRCmnd_Alias\fR
+all reside in
+\fI/usr/bin\fR
+and have the
+\fInoexec\fR
+option set.
 .nf
 .sp
 .RS 0n

diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index b23f32b9752a0207828c36e5c756b098af5add3d..672132927d94db07a4f86f6e3e18f90378a4b226 100644 (file)
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd August 6, 2013
+.Dd August 31, 2013
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -3596,6 +3596,10 @@ Lastly, we disable shell escapes for the commands in the PAGERS
 and
 .Pa /usr/bin/less
 .Pc .
+Note that this will not effectively constrain users with
+.Nm sudo
+.Sy ALL
+privileges.
 .Bd -literal
 # Override built-in defaults
 Defaults               syslog=auth
@@ -3827,6 +3831,14 @@ belonging to the
 and
 .Em SHELLS
 .Li Cmnd_Aliases .
+While not specifically mentioned in the rule, the commands in the
+.Em PAGERS
+.Li Cmnd_Alias
+all reside in
+.Pa /usr/bin
+and have the
+.Em noexec
+option set.
 .Bd -literal
 steve          CSNETS = (operator) /usr/local/op_commands/
 .Ed