Bug 365 - request for sudoers to match most specific rule instead of last match seen
request for sudoers to match most specific rule instead of last match seen
Status: NEW
Product: Sudo
Classification: Unclassified
Component: Sudo
1.7.2
PC Linux
: low enhancement
Assigned To: Todd C. Miller
http://bugs.debian.org/116705
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-31 14:43 MDT by Bdale Garbee
Modified: 2022-01-31 13:11 MST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bdale Garbee 2009-08-31 14:43:49 MDT
One of the users of my Debian packages of sudo requested a while back that sudo honor the most specific match instead of the last match seen in the sudoers file(s).  I'm personally satisfied with the current situation, but passing this along for your consideration.

Bdale
Comment 1 Marc Haber 2022-01-31 13:11:56 MST
This is the full report text from the Debian BTS:

consider the following scenario. you want a certain group of users to
be able to run a few commands as a different user. they must be run
non-interactively, therefore must not prompt for a password.

so, you add the following lines to /etc/sudoers:
Cmnd_Alias	THECOMMANDS = /bin/true, /bin/false
%thegroup		ALL=(user) NOPASSWD: THECOMMANDS

which works great.

however, one of your users (let's give them the completely fictional
username "ieure") is an admin, and needs full sudo access, but should
be asked for their password. . you add the following line:
ieure			ALL=(ALL) ALL

which doesn't work great, since this rule gets applied when ieure runs
'sudo -u user /bin/true', which then prompts for a password.

if i move the "ieure ALL=(ALL) ALL" line above the %thegroup line, it
works. looks like it just takes the last match, instead of the most
specific.