Mention that disabling "root_sudo" is pretty pointless.

author Todd C. Miller <Todd.Miller@courtesan.com>

Sun, 1 Feb 2004 20:20:55 +0000 (20:20 +0000)

committer Todd C. Miller <Todd.Miller@courtesan.com>

Sun, 1 Feb 2004 20:20:55 +0000 (20:20 +0000)
author Todd C. Miller <Todd.Miller@courtesan.com>
Sun, 1 Feb 2004 20:20:55 +0000 (20:20 +0000)
committer Todd C. Miller <Todd.Miller@courtesan.com>
Sun, 1 Feb 2004 20:20:55 +0000 (20:20 +0000)
diff --git a/sudoers.pod b/sudoers.pod

index 52bfbf604450a91d2306b40f7ac1ff5b1fa87abf..9edd4f703ef205978fbd9628f684fd35d07946b5 100644 (file)
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -312,8 +312,11 @@ This flag is I<on> by default.
  
  If set, root is allowed to run B<sudo> too.  Disabling this prevents users
  from "chaining" B<sudo> commands to get a root shell by doing something
-like C<"sudo sudo /bin/sh">.
-This flag is I<on> by default.
+like C<"sudo sudo /bin/sh">.  Note, however, that turning off I<root_sudo>
+will also prevent root and from running B<sudoedit>.
+Disabling I<root_sudo> provides no real additional security; it
+exists purely for historical reasons.
+This flag is I<@root_sudo@> by default.
  
  =item log_host
author	Todd C. Miller <Todd.Miller@courtesan.com>
	Sun, 1 Feb 2004 20:20:55 +0000 (20:20 +0000)
committer	Todd C. Miller <Todd.Miller@courtesan.com>
	Sun, 1 Feb 2004 20:20:55 +0000 (20:20 +0000)