Permissions – Difference Between ‘modernNeo ALL=(ALL:ALL) ALL’ and ‘modernNeo ALL=(ALL) ALL’ in Sudoers File

permissionssudo

In the sudoers file, you can have either of the following lines

modernNeo ALL=(ALL:ALL) ALL
modernNeo ALL=(ALL) ALL

I looked at the following answers on here to understand this

Question 1

If I understand correctly from those above answers, (ALL:ALL) means that you can run the command as any user and any group and that (ALL) means that you can run the command as any user but your group remains the same [it remains your own group] regardless of the user you become when you use sudo with ALL for the third entry?

Question 2

But with (ALL:ALL)

If you can run it as any group, how does sudo decide what group you run the command as if you don't specify it on the commandline using -g?
does it first try to run it as your own group and then go through a list of all the groups on your machine before finding the group that allows you to run the command?
Where does it get the list of groups from and what is the order of the groups on that list?
Or does it just revert to using root for user and/or group when your preference for what user and/or group you want to become isn't specified? If that is the case, why do (ALL:ALL) when you can do (root:root) ?

Question 3

Furthermore, in this Ubuntu Forums post, with regards to the following lines

%admin ALL=(ALL) ALL

%sudo   ALL=(ALL:ALL) ALL

They say that

Users in the admin group may become root. Users in the sudo group can only use the sudo command.
For instance, they could not sudo su
(ALL:ALL) refers to (user:group) that sudo will use. It can be specified with -u and -g when you run sudo. If you don't specify anything it will run as root:root, which is the default. That's how most end up using it anyway.

That confuses me; they are stating that if you can take on any group when running a command, then you are unable to become root?

Best Answer

A line like:

smith ALL=(ALL) ALL

Will allow the user smith to use sudo to run at any computer (first ALL), as any user (the second ALL, the one inside parenthesis) any command (the last ALL). This command will be allowed by sudo:

smith@site ~ $ sudo -u root -g root bash

But this won't:

smith@site ~ $ sudo -u root -g smith bash

As the permissions for ANY group have not been declared.

This, however:

smith ALL=(ALL:ALL) ALL

Will allow this command to be executed (assuming user tom and group sawyer exist):

smith@site ~ $ sudo -u tom -g sawyer bash
tom@site ~ $ id
uid=1023(tom) gid=1087(sawyer) groups=1047(tom),1092(sawyer)

Having said that:

Q1

(ALL:ALL) means that you can run the command as any user and any group

Yes

(ALL) means that you can run the command as any user

Yes

but your group remains the same [it remains your own group]

No, the only group allowed is root.

Q2

how does sudo decide what group you run the command as if you don't specify it on the commandline using -g?

It defaults to root

does it first try to run it as your own group and then go through a list of all the groups on your machine before finding the group that allows you to run the command?

No.

Where does it get the list of groups from and what is the order of the groups on that list?

There is no list to use, no group to search, it simply falls to default root when *:ALL is used, or to the named group if *:group is used.

Simple rules, simple actions.

Or does it just revert to using root for user and/or group when your preference for what user and/or group you want to become isn't specified?

Yes.

If that is the case, why do (ALL:ALL) when you can do (root:root) ?

Because with (ALL:ALL) you can do:

sudo -u tom -g sawyer id

But with (root:root) you can only do:

sudo -u root -g root id

Nothing else (user and group wise).

Q3

For these lines:

   %admin  ALL=(ALL)     ALL
   %sudo   ALL=(ALL:ALL) ALL

Users in the admin group may become root.

Yes, users in the group(%) admin could become ANY user (including root) (because of the (ALL)) but only the root group.

Users in the sudo group can only use the sudo command.

That is incorrect. The users in the sudo group could execute any command (the last ALL).

Users in the group(%) sudo could become any user (the (ALL:) part)
and
any group (the (:ANY) part)
AND
may execute any command (the last ALL) (not only sudo, which is specifically incorrect).

For instance, they could not sudo su

No, they could do sudo su or sudo ls or sudo anycommand.

(ALL:ALL) refers to (user:group) that sudo will use. It can be specified with -u and -g when you run sudo.

They are correct here. The command sudo -u tom -g sawyer ls is correct and valid.

If you don't specify anything it will run as root:root, which is the default.

And are correct here as well. The command sudo ls will be executed with root:root permissions.

That's how most end up using it anyway.

Correct, the most used sudo command doesn't specify either a user or group.
So, it is the "most used, anyway" (default root:root).

That confuses me... they are stating that if you can take on any group when running a command,

Yes, they state that with (ALL:ALL) sudo could take any user or group.

But:

then you are unable to become root?

No, that is not what they said.

Related Solutions

What are the parameters in sudoers file

The sudoers file only controls what sudo invocations are possible. The line allowing root to do anything with sudo is not often useful, because root never needs sudo for anything. It's more of a convenience: that way you can write scripts that can be invoked indifferently by root or other sudoers and that call sudo to elevate privileges.
username ALL = /bin/passwd allows the user to run the passwd command on any machine (and on any terminal — sudo doesn't care about that). Sudo allows the use of machine names in the sudoers file so that you can deploy a sudoers file without modification to all the machines in your network, and still have some rules that only apply to some of the machines.
In the second position, you can have a host list (Host_List in the sudoers manual). This is a comma-separated list of host names. Instead of a host name, you can have an alias (see the manual for details), an IP address, or various ways of specifying a subnetwork (see the manual for details).

The sudoers manual is not an easy read, but it has a nice list of examples towards the end. I suggest you read that part first.

SUDO_USER undefined in sudo manual – clarification would be lovely

SUDO_USER is documented in man sudo (not sudoers):

SUDO_USER        Set to the login name of the user who invoked sudo.

That is, if you run sudo sh -c 'echo $SUDO_USER' it is a roundabout way of getting the effect of whoami.

sudo logs when a user runs (or tries to run) a command through it. You can list them with journalctl /usr/bin/sudo or something equivalent for your system. It lists the user name and command of each invocation.

If sudo is run 1) as root and 2) with SUDO_USER set, the log entry will be tagged with the SUDO_USER username, rather than as "root". This lets a (cooperating) user record the commands they ran for posterity, even though they were in an unrestricted environment. sudo always succeeds when run with root privileges (unless disabled with the root_sudo setting), since you could just run the command without it.

There are two main ways this would come up. The first is the obvious sudo bash or equivalent and a desire to record things. The other use case is for scripts, which can log the actual actions they took on behalf of users. It's an informative behaviour, not a security issue.

sudo -e is used for editing files and uses a different set of security policies, also documented in man sudo and somewhat safer editing behaviours. People sometimes use it when logged in as root for those features, and it has the same interaction with SUDO_USER as above.