Bug 211

Summary: strange order dependence in sudoers
Product: Sudo Reporter: James M. Corey <jmcorey>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: normal    
Version: 1.6.8   
Hardware: All   
OS: All   

Description James M. Corey 2006-03-14 02:40:00 MST 
If my sudoers file contains just two lines, like this:

  jack ALL=ALL
  jack ALL=(jill)ALL

Then jack can successfully run

  sudo -u jill whoami

However, if I reverse the order of those two lines in sudoers:

  jack ALL=(jill)ALL
  jack ALL=ALL

Then sudo will fail jack with the usual message:
"Sorry, user jack is not allowed to execute '/usr/bin/whoami' as jill on hill"

This is a contrived example, of course.  My objective is to make
it as short and simple as possible.

If this sudo behavior is intentional, I apologize for not comprehending.
This is with 1.6.8p12, no special --configure options.
Comment 1 Todd C. Miller 2007-07-05 16:28:22 MDT 
This is indeed a bug.  The problem is that the parser is not distinguishing between a lack of a match in the runas user and a negative match (ie: !user).
Comment 2 Todd C. Miller 2007-11-02 15:39:25 MDT 
This has been fixed in sudo 1.6.9p8.