[sudo-users] Clarification of sudoers manual requested: multiple matches in sudoers file
Todd C. Miller
Todd.Miller at courtesan.com
Tue Dec 11 14:41:22 EST 2007
In message <459520CEEC42F041A8B0CFBCEE958A11FF61CE at KKWNLEX182.kpnnl.local>
so spake (christian.peper):
> The manual lists:
> "When multiple entries match for a user, they are applied in order.
> Where there are multiple matches, the last match is used (which is not
> necessarily the most specific match)."
> Could someone elaborate on this?
> What exactly is the difference between 'multiple entries' and 'multiple
> How does this affect the order I must use when building a sudoers file?
There can be multiple sudoers entries that apply to a user. Since
sudoers is read in order, the last matching command in the last
entry that pertains to the user wins.
This does mean that, given:
someuser ALL = /bin/*, !/bin/sh
%somegroup ALL = ALL
if someuser is in somegroup they will be able to run any command,
even /bin/sh since the last match was "ALL=ALL". This is a contrived
example since it is never secure to give someone sudo ALL and then
try to deny specific commands.
> I have some users who belong to the groups users, sysop and dba and I'm
> going crazy trying to figure out which line exactly grants or denies
> permission on specific commands.
If you can put the least specific (or least privileged) entries
first it may work out the way you intend. Running "sudo -l" as the
user may also be useful here.
More information about the sudo-users