[sudo-users] Cmd_alias' hiding previously defined ones.

Jason.C.Burns at wellsfargo.com Jason.C.Burns at wellsfargo.com
Wed Sep 20 00:33:18 EDT 2006

I have an interesting problem with v1.6.8p9.  Here is a snippet of the
sudoers in question.
Cmnd_Alias WEBADMIN = /opt/webserver/start
<user> ALL = (webadmin) ALL
When my users try to do `sudo -u webadmin /opt/webserver/start`, they
get a "You are not permitted to run `start` on <host>."  Playing around
a bit, I found that if I comment out the "<user> ALL = (WEBADMIN)" line,
they can run the command.  Vice versa, putting both lines back in, the
users can run `sudo /opt/webserver/start`.  I concluded that this is
because the WEBADMIN directive is hiding the (webserver)ALL one, and
thus they could run the command when trying to run as root (like wise,
they could run any other command not in the WEBADMIN alias as webadmin).
Looking at the man page, I see that:
When multiple entries match for a user, they are applied in order. Where
there are conflicting values, the last match is used (which is not
necessarily the most specific match).
Which I can accept.  However, when using sudo v1.6.7p5, this same
sudoers file works just fine.  When switching to v1.6.8p9 and leaving
the sudoers file in place, this error crops up.
I guess I'm confused because there is nothing mentioned in the change
logs or any bugs I could find that mentioned that previous versions
either did not implement this or did not implement it correctly.  Was
this intentional for this particular kind of hiding to happen, or is
this a "bug"?

Thanks for your time!

More information about the sudo-users mailing list