0
I can't understand the difference in this two command's
USER ALL=(ALL) NOPASSWD: ALL
AND
USER ALL=(OTHERUSER) NOPASSWD: ALL
Can anyone explain the () change? Thanks
0
I can't understand the difference in this two command's
USER ALL=(ALL) NOPASSWD: ALL
AND
USER ALL=(OTHERUSER) NOPASSWD: ALL
Can anyone explain the () change? Thanks
0
From man 5 sudoers
:
The basic structure of a user specification is
who where = (as_whom) what
.
And
The reserved word
ALL
is a built-in alias that always causes a match to succeed.
In your case the difference is in (as_whom)
field:
(ALL)
means it's possible for USER
to run commands as any user.(OTHERUSER)
means it's possible for USER
to run commands as OTHERUSER
(e.g. sudo -u OTHERUSER whoami
).
Note it doesn't mean USER
cannot run commands as YETANOTHERUSER
. If USER
tries to run something as YETANOTHERUSER
then the line with (OTHERUSER)
won't match and the parser will continue; some later line may match.
So the
USER
can execute sudo commands asOTHERUSER
name or will have only the privileges of theOTHERUSER
?. – Pedro Macedo Vilas – 2018-11-22T18:11:36.813@PedroMacedoVilas The user chooses whom to impersonate explicitly with
sudo -u chosen_user some_command
, like in the example I added to my answer. If the user is allowed to runsome_command
aschosen_user
then the command will run with privileges ofchosen_user
. – Kamil Maciorowski – 2018-11-22T18:19:16.517