If both Runas_Lists are empty, the command may only be run as the invoking user and the group, if specified, must be one that the invoking user is a member of. If no Runas_Spec is specified, the command may only be run as root and the group, if specified, must be one that root is a member of.
Also regarding runas_default it says:
runas_default The default user to run commands as if the -u option is not specified on the command line. This defaults to root.
The way I understand it is that runas_default has no effect on Runas_Spec, but merely sets the default value of -u when sudo is invoked, and that an empty Runas_Spec allows running as root in any case.
What I'm seeing though is that a missing Runas_Spec actually allows running the command as runas_default:
Defaults runas_default="ubuntu"
test ALL = /norunas
test ALL = () /emptyrunas
test ALL = (:) /emptyrunas2
results in:
User test may run the following commands on ip-172-31-44-38:
(ubuntu) /norunas
(test) /emptyrunas
(test) /emptyrunas2
The man page says:
Also regarding
runas_default
it says:The way I understand it is that
runas_default
has no effect onRunas_Spec
, but merely sets the default value of-u
whensudo
is invoked, and that an emptyRunas_Spec
allows running asroot
in any case.What I'm seeing though is that a missing
Runas_Spec
actually allows running the command asrunas_default
:results in:
Is the man page incorrect or is this a bug?