[sudo-users] Clarification of sudoers manual requested: multiple matches in sudoers file

Todd C. Miller Todd.Miller at courtesan.com
Tue Dec 11 14:41:22 EST 2007

In message <459520CEEC42F041A8B0CFBCEE958A11FF61CE at KKWNLEX182.kpnnl.local>
	so spake  (christian.peper):

> The manual lists:
> "When multiple entries match for a user, they are applied in order.
> Where there are multiple matches, the last match is used (which is not
> necessarily the most specific match)."
> Could someone elaborate on this?
> What exactly is the difference between 'multiple entries' and 'multiple
> matches'?
> How does this affect the order I must use when building a sudoers file?

There can be multiple sudoers entries that apply to a user.  Since
sudoers is read in order, the last matching command in the last
entry that pertains to the user wins.

This does mean that, given:

someuser	ALL = /bin/*, !/bin/sh
%somegroup	ALL = ALL

if someuser is in somegroup they will be able to run any command,
even /bin/sh since the last match was "ALL=ALL".  This is a contrived
example since it is never secure to give someone sudo ALL and then
try to deny specific commands.

> I have some users who belong to the groups users, sysop and dba and I'm
> going crazy trying to figure out which line exactly grants or denies
> permission on specific commands.

If you can put the least specific (or least privileged) entries
first it may work out the way you intend.  Running "sudo -l" as the
user may also be useful here.
 - todd

More information about the sudo-users mailing list