What is the proper sudoers syntax to add a user?

by

According to the comments in /etc/sudoers (Fedora 13):

## Syntax:
##
##    user  MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.

My two related questions:

  1. What does the ALL=(ALL) ALL mean in the following line: 
    root  ALL=(ALL)   ALL
  2. I’ve tested these two lines but I cannot figure out how they are functionally different: 
    superadm    ALL=(ALL)    ALL
superadm    ALL=ALL

I’ve read the manual but the syntax specification is difficult to follow. I have derived that the (ALL) ALL part is the command and tag specifications but I still cannot get my head around it.

Contents hide
Answers:
Method 1
Method 2

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Note: I’m answering 1., since Ignacio already answered 2..

In the following sudo entry:

superadm  ALL=(ALL)   ALL

there are four fields:

  • The first one specifies a user that will be granted privileges for some command(s).
  • The second one is rarely used. It’s a list of hostnames on which this sudo entry will be effective. On standard setups only one host is relevant (localhost) so this field is usually left as ALL.
  • The fourth field is the list of commands superadm will be able to run with elevated privileges. ALL means all commands. Otherwise use a comma-separated list of commands.
  • The third field (the one written (…) that is optional) specifies which users (and groups) the superadm user will be able to run the following commands as. ALL means they can choose anything (unrestricted). It this field is omitted, it means the same as (root).

Example:

alan   ALL = (root, bin : operator, system) /bin/ls, /bin/kill

Here, alan is allowed to run the two commands /bin/ls and /bin/kill as root (or bin), possibly with additional operator or system groups privileges.

So alan may choose to run ls as the bin user and with operator‘s group privileges like this:

sudo -u bin -g operator /bin/ls /whatever/directory

If -u is omitted, it’s the same as -u root. If -g is omitted, no additional group privileges are granted.

Method 2

From the sudoers(5) man page, DESCRIPTION section, Runas_Spec subsection:

The first Runas_List indicates which users the command may be run as via sudo’s -u option.

If no Runas_Spec is specified the command may be run as root and no group may be specified.

So there is no functional difference when trying to run commands as root, i.e., when not using -u with sudo. The difference matters when trying to run commands as other users; the latter will prevent this, but the former will allow it.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x