Bugzilla – Bug 365
request for sudoers to match most specific rule instead of last match seen
Last modified: 2022-01-31 13:11:56 MST
One of the users of my Debian packages of sudo requested a while back that sudo honor the most specific match instead of the last match seen in the sudoers file(s). I'm personally satisfied with the current situation, but passing this along for your consideration. Bdale
This is the full report text from the Debian BTS: consider the following scenario. you want a certain group of users to be able to run a few commands as a different user. they must be run non-interactively, therefore must not prompt for a password. so, you add the following lines to /etc/sudoers: Cmnd_Alias THECOMMANDS = /bin/true, /bin/false %thegroup ALL=(user) NOPASSWD: THECOMMANDS which works great. however, one of your users (let's give them the completely fictional username "ieure") is an admin, and needs full sudo access, but should be asked for their password. . you add the following line: ieure ALL=(ALL) ALL which doesn't work great, since this rule gets applied when ieure runs 'sudo -u user /bin/true', which then prompts for a password. if i move the "ieure ALL=(ALL) ALL" line above the %thegroup line, it works. looks like it just takes the last match, instead of the most specific.