[sudo-users] sudo 1.9.5p2 ignores NOPASSWD rules
Todd C. Miller
Todd.Miller at sudo.ws
Fri Jan 29 04:53:24 MST 2021
On Fri, 29 Jan 2021 08:31:28 +0000, Ralph Meier wrote:
> After resolving some syncing issues of our LDAP servers I found there is a se
> cond rule:
>
> LDAP Role: os_viocheck_xxxde
> RunAsUsers: root
> Options: !authenticate
> Commands:
> ALL
>
> LDAP Role: os_all_allch
> RunAsUsers: ALL
> Commands:
> ALL
>
> Does this second rule without "!authenticate" overwrite the previous one beca
> use
> they are just evaluated in the order the ldap server delivers them ? Is there
> a way to
> priorize a rule ?
Yes, the second rule is overriding the first one. You can use the
sudoOrder attribute to indicate priority. Rules are evaluated
sorted by sudoOrder so higher value rules are evaluated later.
See the sudoers.ldap manual for more info.
- todd
More information about the sudo-users
mailing list