[sudo-users] Clarification of sudoers manual requested: multiple matches in sudoers file

christian.peper at kpn.com christian.peper at kpn.com
Wed Dec 12 03:50:43 EST 2007

> -----Original Message-----
> From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] 
> Sent: Tuesday, December 11, 2007 8:41 PM
> Subject: Re: [sudo-users] Clarification of sudoers manual 
> requested: multiple matches in sudoers file 
> In message so spake  (christian.peper):
> > The manual lists:
> > "When multiple entries match for a user, they are applied in order.
> > Where there are multiple matches, the last match is used 
> (which is not 
> > necessarily the most specific match)."
> > 
> > Could someone elaborate on this?
> > What exactly is the difference between 'multiple entries' and 
> > 'multiple matches'?
> > How does this affect the order I must use when building a 
> sudoers file?
> There can be multiple sudoers entries that apply to a user.  
> Since sudoers is read in order, the last matching command in 
> the last entry that pertains to the user wins.
> This does mean that, given:
> someuser	ALL = /bin/*, !/bin/sh
> ...
> %somegroup	ALL = ALL
> if someuser is in somegroup they will be able to run any 
> command, even /bin/sh since the last match was "ALL=ALL".  
> This is a contrived example since it is never secure to give 
> someone sudo ALL and then try to deny specific commands.
> > I have some users who belong to the groups users, sysop and dba and 
> > I'm going crazy trying to figure out which line exactly grants or 
> > denies permission on specific commands.
> If you can put the least specific (or least privileged) 
> entries first it may work out the way you intend.  Running 
> "sudo -l" as the user may also be useful here.

Thanks a billion Todd!
I must have read the sudo man page a gazillion times looking for some
debugging option, but each time I overlooked the -l option. Perhaps it
is a good idea to add the remark "this is useful in debugging", as I was
searching for the string 'debug' everywhere.

Thanks again for pointing the way...

More information about the sudo-users mailing list