1

About configuration(s) for the /etc/sudoers file with visudo I have read the following tutorials (among others):

A very important part is the following structure:

  • user hostname=(runas-user:runas-group) command

I understand the following about users:

root ALL=(ALL:ALL) ALL
hope ALL=(ALL:ALL) ALL

What is not clear for me is about the %groups. In the /etc/sudoers file are shown the %admin and %sudo groups as follow:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

About (ALL) vs (ALL:ALL)

  1. When the former would be mandatory over the latter and viceversa?
  2. What type of commands should work with the former and latter respectively

So, it is not clear for me (even with the available comments for each one), therefore if I want create and a new group (i,e: developers) I don't know if should be declared (ALL) or (ALL:ALL).

Manuel Jordan
  • 1,728
  • 2
  • 16
  • 40
  • cross posted https://askubuntu.com/questions/1366076/etc-sudoers-clarification-about-all-vs-allall-for-groups – GAD3R Sep 27 '21 at 16:34

1 Answers1

5

The 'run-as-specification' is coupled with the -u and -g options of sudo.

  1. With (ALL), you are allowed to run the subsequent commands as any user. The syntax for that will be sudo -u <user> command.
  2. With (:ALL) you are allowed to run the subsequent commands as any group. The syntax for that will be sudo -g <group> command.
  3. With (ALL:ALL), you are allowed to run the subsequent commands as any user and/or as any group. Note that this configuration does not force the use of a user and group, so you can do:
  • sudo -u <user> command
  • sudo -g <group> command
  • sudo -u <user> -g <group> command

See the 'Runas_Spec' section of the sudoers manual for more details, and some examples.

Haxiel
  • 8,361
  • 1
    There's no difference in security between ALL and ALL:ALL unless command is restricted to a command that cares about its primary group when running as root. Both allow running with arbitrary permissions since you can rebound on the root user. The reason to choose between a wildcard and a specific user/group has nothing to do with personal workstation vs restricted environment, it's about what the rule is for. – Gilles 'SO- stop being evil' Sep 27 '21 at 08:11
  • @Haxiel (1) I have never (:ALL) for groups, interesting (2) about "The (ALL:ALL) option offers maximum flexibility, but limited security" - what is the problem with security? – Manuel Jordan Sep 27 '21 at 13:28
  • @Gilles'SO-stopbeingevil' - "The reason to choose between a wildcard and a specific user/group has nothing to do with personal workstation vs restricted environment, it's about what the rule is for" can you pls post your answer and expanding the explanation for that? - the point of my question is know when use (ALL) vs "(ALL:ALL)" – Manuel Jordan Sep 27 '21 at 13:31
  • 1
    @ManuelJordan I seem to have gone off on a tangent there; sorry about that. I'll remove that section for now and will update it after a bit more research. – Haxiel Sep 27 '21 at 15:12