[sudo-users] Clarification of sudoers manual requested: multiplematches in sudoers file
Galen Johnson
Galen.Johnson at sas.com
Mon Dec 10 13:08:47 EST 2007
Let's say you have a user, bob, who is a member of a group and sudo has
a configuration like
User_Alias ADMINS=bob,mike,tom
ADMINS ALL = (ALL) PASSWD: /bin/ps, /bin/ls, /usr/sbin/shutdown -y -g0
-i0
bob ALL = (ALL) PASSWD: /usr/sbin/shutdown
This says that bob has multiple entries (in the group and an explicit
entry) but the rules say that his last match contradicts the ADMINS. It
will give his last match...ie, he can use shutdown with any
argument...if you reverse these entries:
bob ALL = (ALL) PASSWD: /usr/sbin/shutdown
ADMINS ALL = (ALL) PASSWD: /bin/ps, /bin/ls, /usr/sbin/shutdown -y -g0
-i0
then you have effectively restricted bob to the same command as the
other admins. and therefore not given him any special treatment...
As a rule of thumb, I list groups earlier in my definitions and explict
allow/denies at the end...this way I know that the last command is
granted...it gets more confusing if bob is in multiple groups, then the
group order comes into play.
All this assumes I understand Todd's description and so far, experience
has bourne me out...of course, I don't do a lot of explicit allows and
tend to use my groups more as roles with explicit Cmnd_Alias's assigned
to each role.
=G=
-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of
christian.peper at kpn.com
Sent: Monday, December 10, 2007 11:26 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] Clarification of sudoers manual requested:
multiplematches in sudoers file
Dear all,
I have a small issue with the sudoers manual about multiple matches and
how that's handled. It concerns the 2nd paragraph in the section
"Description".
http://www.gratisoft.us/sudo/man/sudoers.html
The manual lists:
"When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not
necessarily the most specific match)."
Could someone elaborate on this?
What exactly is the difference between 'multiple entries' and 'multiple
matches'?
How does this affect the order I must use when building a sudoers file?
I have some users who belong to the groups users, sysop and dba and I'm
going crazy trying to figure out which line exactly grants or denies
permission on specific commands.
Much appreciated!
Chris.
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list