[sudo-users] Clarification of sudoers manual requested: multiplematches in sudoers file

Galen Johnson Galen.Johnson at sas.com
Mon Dec 10 13:08:47 EST 2007

Let's say you have a user, bob, who is a member of a group and sudo has
a configuration like

User_Alias ADMINS=bob,mike,tom

ADMINS ALL = (ALL) PASSWD: /bin/ps, /bin/ls, /usr/sbin/shutdown -y -g0
bob ALL = (ALL) PASSWD: /usr/sbin/shutdown

This says that bob has multiple entries (in the group and an explicit
entry) but the rules say that his last match contradicts the ADMINS.  It
will give his last match...ie, he can use shutdown with any
argument...if you reverse these entries:

bob ALL = (ALL) PASSWD: /usr/sbin/shutdown
ADMINS ALL = (ALL) PASSWD: /bin/ps, /bin/ls, /usr/sbin/shutdown -y -g0

then you have effectively restricted bob to the same command as the
other admins. and therefore not given him any special treatment...

As a rule of thumb, I list groups earlier in my definitions and explict
allow/denies at the end...this way I know that the last command is
granted...it gets more confusing if bob is in multiple groups, then the
group order comes into play.

All this assumes I understand Todd's description and so far, experience
has bourne me out...of course, I don't do a lot of explicit allows and
tend to use my groups more as roles with explicit Cmnd_Alias's assigned
to each role.


-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of
christian.peper at kpn.com
Sent: Monday, December 10, 2007 11:26 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] Clarification of sudoers manual requested:
multiplematches in sudoers file

Dear all,

I have a small issue with the sudoers manual about multiple matches and
how that's handled. It concerns the 2nd paragraph in the section

The manual lists:
"When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not
necessarily the most specific match)."

Could someone elaborate on this?
What exactly is the difference between 'multiple entries' and 'multiple
How does this affect the order I must use when building a sudoers file?

I have some users who belong to the groups users, sysop and dba and I'm
going crazy trying to figure out which line exactly grants or denies
permission on specific commands.

Much appreciated!
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

More information about the sudo-users mailing list