1

Considering how getting this wrong is extremely dangerous, I feel it deserves an explicit answer. There are many other answers concerning the use of ALL in sudoers, but they do not directly answer this question:

Does ALL refer to users in a group ; Does ALL refer to access to Cmnd_Alias[es] ; OR Can it refer to either and both depending on where it is located in the line?

For instance: a group like REGULARUSER ALL=(ALL) NOPASSWD: SHUTDOWN would mean ALL users in group REGULARUSER have access privleges to Cmnd_Alias SHUTDOWN.

In other words the syntax is: Group \ Users \ Command Permission Specifications. Is this correct?

So that means I can use ALL in instances like root to grant all privileges to all users in the group, hence the ALL=(ALL:ALL) ALL of user group root

Some other questions about the use of ALL

Trying to understand the difference between "modernNeo ALL=(ALL:ALL) ALL" and "modernNeo ALL=(ALL) ALL" in the sudoers file

"ALL ALL=(ALL) NOPASSWD:ALL" was auto added in my /etc/sudoers file. Is this a Security Breach?

Andrew
  • 119

1 Answers1

1

From the manpage:

The reserved word ALL is a built-in alias that always causes a match to succeed. It can be used wherever one might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, or Host_Alias.

So, depending on the context, it can be all commands, all users or groups, all users or groups, or all hosts.

For instance: a group like REGULARUSER ALL=(ALL) NOPASSWD: SHUTDOWN would mean ALL users in group REGULARUSER have access privleges to Cmnd_Alias SHUTDOWN.

Yes, but "all users" isn't because of any ALL present in the rule. The first ALL is for the Host_Alias, and the second ALL is for the Runas_Alias. It's because the User_List and Runas_List can include groups:

A User_List is made up of one or more user names, user IDs (prefixed with ‘#’), system group names and IDs (prefixed with ‘%’ and ‘%#’ respectively), netgroups (prefixed with ‘+’), non-Unix group names and IDs (prefixed with ‘%:’ and ‘%:#’ respectively) and User_Aliases.

And:

A Runas_List is similar to a User_List except that instead of User_Aliases it can contain Runas_Aliases.

And when the User_list includes a group, it means all members of that group, unless you exclude specific members by negation.

In other words the syntax is: Group \ Users \ Command Permission Specifications.

Not at all. See the manpage for EBNF description of the grammar, but roughly it is:

<user_list> <host_list> = (<runas_list>) <tags> <commands>

Or, from the manpage:

The basic structure of a user specification is “who where = (as_whom) what”.

muru
  • 72,889