In the sudoers
file, you can have either of the following lines
modernNeo ALL=(ALL:ALL) ALL
modernNeo ALL=(ALL) ALL
I looked at the following answers on here to understand this
- https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands/340669#340669
- https://askubuntu.com/questions/546219/what-is-the-difference-between-root-all-allall-all-and-root-all-all-all/546228#546228
- This post on Ubuntu Forums
- https://unix.stackexchange.com/a/201866
Question 1
If I understand correctly from those above answers, (ALL:ALL)
means that you can run the command as any user and any group and that (ALL)
means that you can run the command as any user but your group remains the same [it remains your own group] regardless of the user you become when you use sudo
with ALL
for the third entry?
Question 2
But with (ALL:ALL)
- If you can run it as any group, how does sudo decide what group you run the command as if you don't specify it on the commandline using
-g
? - does it first try to run it as your own group and then go through a list of all the groups on your machine before finding the group that allows you to run the command?
- Where does it get the list of groups from and what is the order of the groups on that list?
- Or does it just revert to using
root
for user and/or group when your preference for what user and/or group you want to become isn't specified? If that is the case, why do(ALL:ALL)
when you can do(root:root)
?
Question 3
Furthermore, in this Ubuntu Forums post, with regards to the following lines
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
They say that
Users in the admin group may become root. Users in the sudo group can only use the sudo command.
For instance, they could notsudo su
(ALL:ALL)
refers to(user:group)
thatsudo
will use. It can be specified with-u
and-g
when you runsudo
. If you don't specify anything it will run asroot:root
, which is the default. That's how most end up using it anyway.
That confuses me; they are stating that if you can take on any group when running a command, then you are unable to become root?
Best Answer
A line like:
Will allow the user smith to use sudo to run at any computer (first ALL), as any user (the second ALL, the one inside parenthesis) any command (the last ALL). This command will be allowed by sudo:
But this won't:
As the permissions for ANY group have not been declared.
This, however:
Will allow this command to be executed (assuming user
tom
and groupsawyer
exist):Having said that:
Q1
Yes
Yes
No, the only group allowed is
root
.Q2
It defaults to
root
No.
There is no list to use, no group to search, it simply falls to default
root
when*:ALL
is used, or to the named group if*:group
is used.Simple rules, simple actions.
Yes.
Because with (ALL:ALL) you can do:
But with (root:root) you can only do:
Nothing else (user and group wise).
Q3
For these lines:
Yes, users in the group(%)
admin
could become ANY user (including root) (because of the(ALL)
) but only theroot
group.That is incorrect. The users in the sudo group could execute any command (the last
ALL
).Users in the group(%)
sudo
could become any user (the(ALL:)
part)and
any group (the
(:ANY)
part)AND
may execute any command (the last
ALL
) (not only sudo, which is specifically incorrect).No, they could do
sudo su
orsudo ls
orsudo anycommand
.They are correct here. The command
sudo -u tom -g sawyer ls
is correct and valid.And are correct here as well. The command
sudo ls
will be executed withroot:root
permissions.Correct, the most used sudo command doesn't specify either a user or group.
So, it is the "most used, anyway" (default
root:root
).Yes, they state that with
(ALL:ALL)
sudo could take any user or group.But:
No, that is not what they said.