Sudoers Command

0

I can't understand the difference in this two command's

USER ALL=(ALL) NOPASSWD: ALL AND USER ALL=(OTHERUSER) NOPASSWD: ALL

Can anyone explain the () change? Thanks

Pedro Macedo Vilas

Posted 2018-11-22T16:45:26.370

Reputation: 3

Answers

0

From man 5 sudoers:

The basic structure of a user specification is who where = (as_whom) what.

And

The reserved word ALL is a built-in alias that always causes a match to succeed.

In your case the difference is in (as_whom) field:

  • (ALL) means it's possible for USER to run commands as any user.

  • (OTHERUSER) means it's possible for USER to run commands as OTHERUSER (e.g. sudo -u OTHERUSER whoami).

    Note it doesn't mean USER cannot run commands as YETANOTHERUSER. If USER tries to run something as YETANOTHERUSER then the line with (OTHERUSER) won't match and the parser will continue; some later line may match.

Kamil Maciorowski

Posted 2018-11-22T16:45:26.370

Reputation: 38 429

So the USER can execute sudo commands as OTHERUSER name or will have only the privileges of the OTHERUSER?. – Pedro Macedo Vilas – 2018-11-22T18:11:36.813

@PedroMacedoVilas The user chooses whom to impersonate explicitly with sudo -u chosen_user some_command, like in the example I added to my answer. If the user is allowed to run some_command as chosen_user then the command will run with privileges of chosen_user. – Kamil Maciorowski – 2018-11-22T18:19:16.517

Asked: 2018-11-22T16:45:26.370

Viewed: 28 times

Active: 2018-11-22T18:09:38.647