Bug 365

Summary: request for sudoers to match most specific rule instead of last match seen
Product: Sudo Reporter: Bdale Garbee <bdale>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: NEW ---    
Severity: enhancement CC: mh+sudo-bugzilla
Priority: low    
Version: 1.7.2   
Hardware: PC   
OS: Linux   
URL: http://bugs.debian.org/116705

Description Bdale Garbee 2009-08-31 14:43:49 MDT 
One of the users of my Debian packages of sudo requested a while back that sudo honor the most specific match instead of the last match seen in the sudoers file(s).  I'm personally satisfied with the current situation, but passing this along for your consideration.

Bdale
Comment 1 Marc Haber 2022-01-31 13:11:56 MST 
This is the full report text from the Debian BTS:

consider the following scenario. you want a certain group of users to
be able to run a few commands as a different user. they must be run
non-interactively, therefore must not prompt for a password.

so, you add the following lines to /etc/sudoers:
Cmnd_Alias	THECOMMANDS = /bin/true, /bin/false
%thegroup		ALL=(user) NOPASSWD: THECOMMANDS

which works great.

however, one of your users (let's give them the completely fictional
username "ieure") is an admin, and needs full sudo access, but should
be asked for their password. . you add the following line:
ieure			ALL=(ALL) ALL

which doesn't work great, since this rule gets applied when ieure runs
'sudo -u user /bin/true', which then prompts for a password.

if i move the "ieure ALL=(ALL) ALL" line above the %thegroup line, it
works. looks like it just takes the last match, instead of the most
specific.