In the sudoers file, you can have either of the following lines
modernNeo ALL=(ALL:ALL) ALL modernNeo ALL=(ALL) ALL
I looked at the following answers on here to understand this
- Sudoers file, enable NOPASSWD for user, all commands
- What is the difference between
root ALL=(ALL:ALL) ALLandroot ALL=(ALL) ALL? - Effect of (ALL:ALL) in sudoers?
- What does “ALL ALL=(ALL) ALL” mean in sudoers?
Question 1
If I understand correctly from those above answers:
(ALL:ALL)means that you can run the command as any user and any group(ALL)means that you can run the command as any user but your group remains the same [it remains your own group] – regardless of the user you become when you usesudowithALLfor the third entry?
Question 2
But with (ALL:ALL)
- If you can run it as any group, how does sudo decide what group you run the command as if you don’t specify it on the commandline using
-g? - does it first try to run it as your own group and then go through a list of all the groups on your machine before finding the group that allows you to run the command?
- Where does it get the list of groups from and what is the order of the groups on that list?
- Or does it just revert to using
rootfor user and/or group when your preference for what user and/or group you want to become isn’t specified? If that is the case, why do(ALL:ALL)when you can do(root:root)?
Question 3
Furthermore, in this Ubuntu Forums post, with regards to the following lines
%admin ALL=(ALL) ALL %sudo ALL=(ALL:ALL) ALL
They say that
Users in the admin group may become root. Users in the sudo group can only use the sudo command. For instance, they could not
sudo su
(ALL:ALL)refers to(user:group)thatsudowill use. It can be specified with-uand-gwhen you runsudo. If you don’t specify anything it will run asroot:root, which is the default. That’s how most end up using it anyway.
That confuses me; they are stating that if you can take on any group when running a command, then you are unable to become root?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
A line like:
smith ALL=(ALL) ALL
will allow the user smith to use sudo to run at any computer (first ALL), as any user (the second ALL, the one inside parentheses) any command (the last ALL). This command will be allowed by sudo:
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="ccbfa1a5b8a48cbfa5b8a9">[email protected]</a> ~ $ sudo -u root -g root bash
But this won’t:
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="97e4fafee3ffd7e4fee3f2">[email protected]</a> ~ $ sudo -u root -g smith bash
as the permissions for ANY group have not been declared.
This, however:
smith ALL=(ALL:ALL) ALL
will allow this command to be executed (assuming user tom and group sawyer exist):
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="62110f0b160a22110b1607">[email protected]</a> ~ $ sudo -u tom -g sawyer bash <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1f6b70725f6c766b7a">[email protected]</a> ~ $ id uid=1023(tom) gid=1087(sawyer) groups=1047(tom),1092(sawyer)
Having said that:
Q1
(ALL:ALL) means that you can run the command as any user and any group
Yes
(ALL) means that you can run the command as any user …
Yes
… but your group remains the same [it remains your own group]
No, the only group allowed is root.
Q2
how does sudo decide what group you run the command as if you don’t specify it on the commandline using
-g?
It defaults to root.
does it first try to run it as your own group and then go through a list of all the groups on your machine before finding the group that allows you to run the command?
No.
Where does it get the list of groups from and what is the order of the groups on that list?
There is no list to use.
As stated above, it simply falls to default root
when user:ALL is used,
or to the named group if user:group is used.
Simple rules, simple actions.
Or does it just revert to using
rootfor user and/or group when your preference for what user and/or group you want to become isn’t specified?
Yes.
If that is the case, why do (ALL:ALL) when you can do (root:root) ?
Because with (ALL:ALL) you can do:
sudo -u tom -g sawyer id
But with (root:root) you can only do:
sudo -u root -g root id
and nothing else (user- and group-wise).
Q3
For these lines:
%admin ALL=(ALL) ALL %sudo ALL=(ALL:ALL) ALLUsers in the admin group may become root.
Yes, users in the admin group (%) could become ANY user (including root) (because of the (ALL)) but only the root group.
Users in the sudo group can only use the sudo command.
That is incorrect. The users in the sudo group (%) could execute any command (the last ALL).
Users in the sudo group (%) could become any user (the (ALL:) part) and any group (the (:ALL) part) AND may execute any command (the last ALL) (not only sudo, which is specifically incorrect).
For instance, they could not
sudo su
No, they could do sudo su or sudo ls
or sudo anycommand.
(ALL:ALL)refers to(user:group)thatsudowill use.
It can be specified with-uand-gwhen you runsudo.
They are correct here. The command sudo -u tom -g sawyer ls is correct and valid.
If you don’t specify anything it will run as
root:root,
which is the default.
And are correct here as well. The command sudo ls will be executed with root:root credentials (i.e., powers / privileges).
That’s how most end up using it anyway.
Correct, the most used sudo command doesn’t specify either a user or group.
So, it is the “most used, anyway” (default root:root).
That confuses me… they are stating that if you can take on any group when running a command, …
Yes, they state that with (ALL:ALL) the sudo command could take any user or group.
And:
… then you are unable to become root?
No, that interpretation is incorrect.
-
with
(ALL:ALL) ALLsudo is allowed to become any user with any group to execute any command. Even root. -
with
(ALL) ALLsudo lose the ability to set the group, but could still set the user and run any command (sudo su -is allowed).
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0