I have found the following behavior:

$ sudo -u www-data id
uid=33(www-data) gid=33(www-data) grupos=33(www-data)

$ sudo -u www-data -u root id
uid=0(root) gid=0(root) grupos=0(root)

I actually found this in a "hack me" machine in a laboratory. A program allowed in the sudoers file had a different vulnerability to be exploited but I could exploit this one as much easier.

The program in question was executed as root via sudo, but internally it validated the provided credentials of a user and then executed commands as that user using "sudo -u user <command_here>". It was converted to a list of arguments to avoid other forms of command injection.

For this reason, if I authenticated as any user but then run "-u root <my_command> it run as root.

I know that this program is nonsense and that, at the very least it shoudl run as "sudo -u user -- <command_here>", however I wonder why sudo allows this as it is clear that it can lead to security problems while I fail to see any advantage to this behavior.

I tested this also in current debian and ubuntu versions (sudo 1.8.27), reproducing the results.

I am sorry if I am failing to see something here but I though it would worth to open a bug about this.