diff options
authorJakob Kaivo <>2021-02-07 13:57:26 -0500
committerJakob Kaivo <>2021-02-07 13:57:26 -0500
commit72f77b8941d9a7cd3f625938c704c1e6c1dd75f3 (patch)
parent5e74f5da46dd78a239a2af7c8a71041f2c480d80 (diff)
add full precedence list
1 files changed, 17 insertions, 0 deletions
diff --git a/ b/
index 9430233..b2a8195 100644
--- a/
+++ b/
@@ -58,3 +58,20 @@ as to be most restrictive. In order from least to most:
is executed. This is handled by PAM with the service name `privexec`.
`deny` - The user is not permitted to execute the command.
+A user name match has higher precedence than a group match, and a match
+containing a program name has higher precedence than a match without the
+program name. So the total ordering of precedence (from least to most) is:
+ authorized :group
+ authenticate :group
+ deny :group
+ authorized :group command
+ authenticate :group command
+ deny :group command
+ authorized user
+ authenticate user
+ deny user
+ authorized user command
+ authenticate user command
+ deny user command