Trying to understand the difference between "modernNeo ALL=(ALL:ALL) ALL" and "modernNeo ALL=(ALL) ALL" in the sudoers file

Question

In the sudoers file, you can have either of the following lines

modernNeo ALL=(ALL:ALL) ALL
modernNeo ALL=(ALL) ALL

I looked at the following answers on here to understand this

• Sudoers file, enable NOPASSWD for user, all commands
• What is the difference between root ALL=(ALL:ALL) ALL and root ALL=(ALL) ALL?
• Effect of (ALL:ALL) in sudoers?
• What does "ALL ALL=(ALL) ALL" mean in sudoers?

Question 1

If I understand correctly from those above answers:

• (ALL:ALL) means that you can run the command as any user and any group
• (ALL) means that you can run the command as any user but your group remains the same [it remains your own group] - regardless of the user you become when you use sudo with ALL for the third entry?

Question 2

But with (ALL:ALL)

• If you can run it as any group, how does sudo decide what group you run the command as if you don't specify it on the commandline using -g?
• does it first try to run it as your own group and then go through a list of all the groups on your machine before finding the group that allows you to run the command?
• Where does it get the list of groups from and what is the order of the groups on that list?
• Or does it just revert to using root for user and/or group when your preference for what user and/or group you want to become isn't specified? If that is the case, why do (ALL:ALL) when you can do (root:root) ?

Question 3

Furthermore, in this Ubuntu Forums post, with regards to the following lines

%admin ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL

They say that

Users in the admin group may become root. Users in the sudo group can only use the sudo command. For instance, they could not sudo su

(ALL:ALL) refers to (user:group) that sudo will use. It can be specified with -u and -g when you run sudo. If you don't specify anything it will run as root:root, which is the default. That's how most end up using it anyway.

That confuses me; they are stating that if you can take on any group when running a command, then you are unable to become root?

Answer 1

A line like:

smith ALL=(ALL) ALL

will allow the user smith to use sudo to run at any computer (first ALL), as any user (the second ALL, the one inside parentheses) any command (the last ALL). This command will be allowed by sudo:

smith@site ~ $ sudo -u root -g root bash

But this won't:

smith@site ~ $ sudo -u root -g smith bash

as the permissions for ANY group have not been declared.

This, however:

smith ALL=(ALL:ALL) ALL

will allow this command to be executed (assuming user tom and group sawyer exist):

smith@site ~ $ sudo -u tom -g sawyer bash
tom@site ~ $ id
uid=1023(tom) gid=1087(sawyer) groups=1047(tom),1092(sawyer)

Having said that:

Q1

(ALL:ALL) means that you can run the command as any user and any group

Yes

(ALL) means that you can run the command as any user …

Yes

… but your group remains the same [it remains your own group]

No, the only group allowed is root.

Q2

how does sudo decide what group you run the command as if you don't specify it on the commandline using -g?

It defaults to root.

does it first try to run it as your own group and then go through a list of all the groups on your machine before finding the group that allows you to run the command?

No.

Where does it get the list of groups from and what is the order of the groups on that list?

There is no list to use.  As stated above, it simply falls to default root when user:ALL is used, or to the named group if user:group is used.

Simple rules, simple actions.

Or does it just revert to using root for user and/or group when your preference for what user and/or group you want to become isn't specified?

Yes.

If that is the case, why do (ALL:ALL) when you can do (root:root) ?

Because with (ALL:ALL) you can do:

sudo -u tom -g sawyer id

But with (root:root) you can only do:

sudo -u root -g root id

and nothing else (user- and group-wise).

Q3

For these lines:

%admin  ALL=(ALL)     ALL
%sudo   ALL=(ALL:ALL) ALL  

Users in the admin group may become root.

Yes, users in the admin group (%) could become ANY user (including root) (because of the (ALL)) but only the root group.

Users in the sudo group can only use the sudo command.

That is incorrect. The users in the sudo group (%) could execute any command (the last ALL).

Users in the sudo group (%) could become any user (the (ALL:) part) and any group (the (:ALL) part) AND may execute any command (the last ALL) (not only sudo, which is specifically incorrect).

For instance, they could not sudo su

No, they could do sudo su or sudo ls or sudo anycommand.

(ALL:ALL) refers to (user:group) that sudo will use.  It can be specified with -u and -g when you run sudo.

They are correct here. The command sudo -u tom -g sawyer ls is correct and valid.

If you don't specify anything it will run as root:root, which is the default.

And are correct here as well. The command sudo ls will be executed with root:root credentials (i.e., powers / privileges).

That's how most end up using it anyway.

Correct, the most used sudo command doesn't specify either a user or group. So, it is the "most used, anyway" (default root:root).

That confuses me... they are stating that if you can take on any group when running a command, …

Yes, they state that with (ALL:ALL) the sudo command could take any user or group.

And:

… then you are unable to become root?

No, that interpretation is incorrect.

• with (ALL:ALL) ALL sudo is allowed to become any user with any group to execute any command. Even root.

• with (ALL) ALL sudo lose the ability to set the group, but could still set the user and run any command (sudo su - is allowed).