From 72f77b8941d9a7cd3f625938c704c1e6c1dd75f3 Mon Sep 17 00:00:00 2001
From: Jakob Kaivo <jkk@ung.org>
Date: Sun, 7 Feb 2021 13:57:26 -0500
Subject: add full precedence list

---
 README.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/README.md b/README.md
index 9430233..b2a8195 100644
--- a/README.md
+++ b/README.md
@@ -58,3 +58,20 @@ as to be most restrictive. In order from least to most:
     is executed. This is handled by PAM with the service name `privexec`.
 
     `deny` - The user is not permitted to execute the command.
+
+A user name match has higher precedence than a group match, and a match
+containing a program name has higher precedence than a match without the
+program name. So the total ordering of precedence (from least to most) is:
+
+    authorized :group
+    authenticate :group
+    deny :group
+    authorized :group command
+    authenticate :group command
+    deny :group command
+    authorized user
+    authenticate user
+    deny user
+    authorized user command
+    authenticate user command
+    deny user command
-- 
cgit v1.2.1