Bug 589

Summary: 'sudo -l' output is misleading wrt NOPASSWD tag
Product: Sudo Reporter: mweetman
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: low    
Version: 1.8.3   
Hardware: PC   
OS: Linux   

Description mweetman 2013-02-18 17:52:24 MST
The output from 'sudo -l' and 'sudo -ll' doesn't show the NOPASSWD tag for subsequent commands (aliases) defined in the same user rule, but lists them separately which makes it look like NOPASSWD is not applied.


Steps to reproduce:
# useradd testuser

# grep -e ^Cmnd_Alias.*SOFTWARE /etc/sudoers
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

# grep -e ^Cmnd_Alias.*DRIVERS /etc/sudoers
Cmnd_Alias DRIVERS = /sbin/modprobe

# grep -e ^testuser /etc/sudoers
testuser ALL=(ALL) NOPASSWD: SOFTWARE, DRIVERS

# sudo -U testuser -l
Matching Defaults entries for testuser on this host:
    requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC
    KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User testuser may run the following commands on this host:
    (ALL) NOPASSWD: /bin/rpm, /usr/bin/up2date, /usr/bin/yum, (ALL)
    /sbin/modprobe

# sudo -U testuser -ll
Matching Defaults entries for testuser on this host:
    requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC
    KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User testuser may run the following commands on this host:

Sudoers entry:
    RunAsUsers: ALL
    Commands:
	NOPASSWD: /bin/rpm, /usr/bin/up2date, /usr/bin/yum
    RunAsUsers: ALL
    Commands:
	/sbin/modprobe

# lsmod | grep joy
joydev                 17458  0

# su - testuser
$ sudo /sbin/modprobe -r joydev
$ lsmod | grep joy
$
Comment 1 Todd C. Miller 2013-02-19 16:30:55 MST
Thanks, I've made changes to the list output to avoid printing the runas list when it has not changed and to reprint the tags if the runas list does change.  That should make things a bit more readable.
Comment 2 Todd C. Miller 2013-06-16 05:18:09 MDT
Fixed in sudo 1.8.7