LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Sudoers syntax clarification. (https://www.linuxquestions.org/questions/linux-newbie-8/sudoers-syntax-clarification-598790/)

uncle-c 11-11-2007 09:52 AM

Sudoers syntax clarification.
 
Hi there,
Something odd which occured when I edited the "sudoers" file and I was wondering if its behaviour could be explained. It was on a Ubuntu 7.04 server box.
Correct me if I'm wrong but in the following syntax :

Code:

uncle ALL=(uncle) /sbin/fdisk
uncle - user

ALL - any machine

(uncle) - user which the command is run as

When I log in as user "uncle" and run sudo fdisk -l the command runs perfectly.

However, I was playing around with the syntax and this also works !

Code:

uncle uncle= /sbin/fdisk
On first glance I assumed that it meant that user uncle can run the command on machine uncle. Could someone kindly explain why this works as well ?

Cheers,
Uncle

Disillusionist 11-11-2007 10:41 AM

As I understand it, your first sudo command should have failed with an error stating something like:

"Sorry, user uncle is not allowed to execute /sbin/fdisk as root"

The second example should work. As you are not specifying a user to run the command root will be taken as default.

When you specify a user:
Code:

disillusionist ALL=(uncle) /usr/bin/vi
You are stating that disillusionist can run /usr/bin/vi on any machine as the user uncle. To run that I would need to type:
Code:

sudo -u uncle vi test_file
As both seem to work I would guess that you have another entry in the sudoers file that is being evaluated.

Possibly something like:
Code:

%admin ALL=(ALL) ALL
This would mean that anyone in group admin could run any command as any user.

uncle-c 11-11-2007 11:50 AM

Quote:

Originally Posted by Disillusionist (Post 2955273)
As both seem to work I would guess that you have another entry in the sudoers file that is being evaluated.

Possibly something like:
Code:

%admin ALL=(ALL) ALL
This would mean that anyone in group admin could run any command as any user.

Thanks Dis !
The above entry is in my sudoers file. I also checked the /etc/group file and noticed that uncle was in the group admin. This must have happened during my initial ubuntu install when I was asked to create a non root user ( uncle). Is this user automatically added to group admin ?
I now realise that user uncle can sudo without any alterations being made to the /etc/sudoers file as a result of this group affiliation. Obviously sudoers file changes would have to be made for user aunty to run privileged programs.
You have been right on all accounts in your post. Thanks for clearing everything up. All makes sense now.
Thanks again !

All good wishes,

Uncle.

Disillusionist 11-11-2007 11:54 AM

Before modifying the sudoers file (using visudo) you may want to activate the root account for logins.

If anything goes wrong with your changes (and you can't run sudo commands) you would need either an active root session or the ability to login as root.

To activate the root account (if you haven't already) type:

Code:

sudo passwd


All times are GMT -5. The time now is 10:46 AM.