[sudo-users] Clarification of sudoers manual requested: multiple matches in sudoers file
christian.peper at kpn.com
christian.peper at kpn.com
Wed Dec 12 03:50:43 EST 2007
> -----Original Message-----
> From: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
> Sent: Tuesday, December 11, 2007 8:41 PM
> Subject: Re: [sudo-users] Clarification of sudoers manual
> requested: multiple matches in sudoers file
>
> In message so spake (christian.peper):
>
> > The manual lists:
> > "When multiple entries match for a user, they are applied in order.
> > Where there are multiple matches, the last match is used
> (which is not
> > necessarily the most specific match)."
> >
> > Could someone elaborate on this?
> > What exactly is the difference between 'multiple entries' and
> > 'multiple matches'?
> > How does this affect the order I must use when building a
> sudoers file?
>
> There can be multiple sudoers entries that apply to a user.
> Since sudoers is read in order, the last matching command in
> the last entry that pertains to the user wins.
>
> This does mean that, given:
>
> someuser ALL = /bin/*, !/bin/sh
> ...
> %somegroup ALL = ALL
>
> if someuser is in somegroup they will be able to run any
> command, even /bin/sh since the last match was "ALL=ALL".
> This is a contrived example since it is never secure to give
> someone sudo ALL and then try to deny specific commands.
>
> > I have some users who belong to the groups users, sysop and dba and
> > I'm going crazy trying to figure out which line exactly grants or
> > denies permission on specific commands.
>
> If you can put the least specific (or least privileged)
> entries first it may work out the way you intend. Running
> "sudo -l" as the user may also be useful here.
Thanks a billion Todd!
I must have read the sudo man page a gazillion times looking for some
debugging option, but each time I overlooked the -l option. Perhaps it
is a good idea to add the remark "this is useful in debugging", as I was
searching for the string 'debug' everywhere.
:)
Thanks again for pointing the way...
Chris.
More information about the sudo-users
mailing list