Closed rodrigorc closed 1 year ago
Now, writing:
ALL ALL=(ALL:mygroup) NOPASSWD: ALL
allows me to run any command as root without password, that is not good! I could change it to:
ALL ALL=(rodrigo:mygroup) NOPASSWD: ALL
but that means that any user can run any command as rodrigo
without password, that is not my intention. I would like any user to run a command as group mygroup
but with its own uid.
Thanks for your report. A bug was introduced in sudo 1.9.14 where a line like:
ALL ALL=(:mygroup) NOPASSWD: ALL
can match if no user was explicitly specified on the command line (e.g. sudo -u
), overriding an earlier rule. I'm investigating it now and should have a new sudo release out with a fix early next week.
In the meantime, you should be able to work around the problem by changing the order of the sudoers rules. Since sudo takes the last match if the above rule is parsed before a rule like:
rodrigo ALL = ALL
then the later rule will be the one that matches.
Thanks @millert for the quick answer!
I moved the line for the wheel
group:
%wheel ALL=(ALL:ALL) ALL
to the very end of the sudoers
file, and it works fine again.
Closing this now that sudo 1.9.14p2 is out.
Hi! I recently upgraded from sudo 1.9.13.p3 to 1.9.14.p1 in my ArchLinux system, and the default user for sudo changed automatically from
root
to my regular userrodrigo
. That is when I runsudo -i
it used to start aroot
shell, now it starts arodrigo
shell, with is quite useless. The obvious workaround -after I panicked and though I had a rootkit and recovered, is to runsudo -i -u root
.I've checked my customized configuration and it all comes down to this custom rule in my
sudoers.d
subdir:I changed it to:
and everything is back to normal. So no real harm done.
I'm opening this issue to the benefit of other that may encounter this. Is it a bug? A fix of a pre-existing bug? Or a subtle change in the intended behavior? I checked the change-logs and saw nothing about this.