What do the "ALL"s in the line " %admin ALL=(ALL) ALL " in Ubuntu's /etc/sudoers file stand for?

18

12

What does each ALL mean? I understand that the whole line indicates that the admin group members get admininstartive privileges, but would like to know more info about the position of the ALLS and if they each refer to a different set of permissions or something like that?

$sudo cat /etc/sudoers
...
# User privilege Information
root ALL=(ALL) ALL
#...
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

#Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
#

If it matters: OS: Ubuntu : 10.4

Sri Kadimisetty

Posted 2011-11-15T01:02:25.737

Reputation: 329

Answers

21

There is a manual page for sudoers(5).

Basically:

  • %admin – the group named "admin" (% prefix)
  • ALL= – on all hosts (if you distribute the same sudoers file to many computers)
  • (ALL) – as any target user
  • ALL – can run any command

A more restricted example would be:

%mailadmin   snow,rain=(root) /usr/sbin/postfix, /usr/sbin/postsuper, /usr/bin/doveadm
nobody       ALL=(root) NOPASSWD: /usr/sbin/rndc reload

In this case, the group mailadmin is allowed to run mail server control tools as user root on hosts named "snow" and "rain". The user nobody is allowed to run rndc reload as root, on all hosts, without being asked for any password. (Normally sudo asks for the invoker's own password.)

user1686

Posted 2011-11-15T01:02:25.737

Reputation: 283 655

6What about the extra "ALL" after the ":" in "ALL=(ALL:ALL) ALL"? – colan – 2012-05-11T03:37:11.197

5@colan: List of allowed groups for switching with the -g option. It's under "User Specification" in the manpage. – user1686 – 2012-05-11T04:08:15.240

Asked: 2011-11-15T01:02:25.737

Viewed: 33 682 times

Active: 2016-08-24T04:16:10.637