Help me understand the permission syntax in sudoers file

Question

Based on the file itself:

Next comes the main part: which users can run what software on which machines (the sudoers file can be shared between multiple systems). Syntax:
  user    MACHINE=COMMANDS

OK for example we have this:

john.doe ALL=(ALL:ALL) /sbin/ifup, /sbin/ifdown

which means john.doe is given permission to issue the ifup and ifdown commands using sudo. What I don't understand is the part in parenthesis. I just know that the first one is user and the second is group. But what is this for while we already have specified users in the first of line? Thank You

Does this answer your question? Trying to understand the difference between "modernNeo ALL=(ALL:ALL) ALL" and "modernNeo ALL=(ALL) ALL" in the sudoers file — muru, Mar 16 '22 at 09:03
john.doe is the user who's allowed to run sudo here, and ALL:ALL refers to the users that john.doe can run these commands as. (sudo's not just for running as root - you can run commands as other users too) — muru, Mar 16 '22 at 09:04
It's real simple according to the man page that then goes in to walls of text explaining how it works :/ Is this explanation enough? I think a whole book could be dedicated to the topic. — CR., Mar 16 '22 at 09:12

score 2 · Accepted Answer · answered Mar 16 '22 at 09:17

2

Breaking down your example:

john.doe
ALL=
(ALL:ALL)
/sbin/ifup, /sbin/ifdown

(1) The user john.doe can (2) regardless of the machine name (3) pretend to be any (ALL) user-id, or belong to any (:ALL) group for the purposes of running (4) these commands. So, for instance, john.doe run the /sbin/ifup command as any user he wishes:

$ sudo -u vahid2015 /sbin/ifdown eth0

and you'd get the blame!

Generally you don't need the (ALL:ALL) part, the default is root and that is the most common case. If a use should run a command as, let's say, and operator use (operator) for the uid or (:operator) for the gid.

It's good to specify the machine names if possible, however the use of ALL= permits a common sudoers file to be maintained across a managed set of machines.

answered Mar 16 '22 at 09:17

1

sample time you run sudo as non root is sudo -u apache rm /var/www/html/someplace/* you then need john.doe (apache) rm /var/www/html/someplace/* – Archemar Mar 16 '22 at 09:39
1

Good example, but shouldn't it be john.doe (apache) rm? – Mar 16 '22 at 09:46
1

well /bin/rm and you may want to restrict apache's files john.doe is allowed to delete. – Archemar Mar 16 '22 at 09:57
Did you miss machine name? john.doe ALL =(apache) .... – Vahid2023 Mar 16 '22 at 15:58
By the way when I make a file as root user I can't modify it under another user in direct admin so I have to sudo as another user/group – Vahid2023 Mar 16 '22 at 16:00

Help me understand the permission syntax in sudoers file

1 Answers1