Sudoers parsing order revisted
Todd C. Miller
Todd.Miller at courtesan.com
Thu May 27 16:02:24 EDT 2004
In message <Pine.LNX.4.58.0405211535010.28651 at euterpe.slac.stanford.edu>
so spake "Moss, Leonard J." (ljm):
> I'd like to make sure I understand this correctly. I think
> you're saying that the last match rule would still apply even if
> the userid in one or both of the entries was replaced by a user
> alias that included that userid, correct?
That is the intended behavior. However, when this came up a few
weeks ago I discovered that the actual behavior is different.
Basically, when sudo looks at the commands that matched it does not
treat an entry where the command matches but the runas user is
explicitly denied the same as an entry where the runas user matches
and the command is explicitly denied.
I just committed a fix for this and it will appear in the next
beta release which will be out today or tomorrow...
More information about the sudo-users