millert
commented
9 months ago Yes, sudo -v is handled differently from a regular command since there may be multiple commands permitted. Here's the sudoers manual entry for the verifypw option:
sudo with the -v option.
It has the following possible values:
- all
- All the user's sudoers file entries for the current
host must have the
NOPASSWDflag set to avoid entering a password. - always
- The user must always enter a password to use the
-voption. - any
- At least one of the user's sudoers file entries for
the current host must have the
NOPASSWDflag set to avoid entering a password. - never
- The user need never enter a password to use the
-voption.
If no value is specified, a value of all is implied. Negating the option results in a value of never being used. The default value is all.
sudo -vdoes not choose the same rule assudo some_commandSetup: arch linux
I have a setup where I have (among others) a user called
cedric. It is a member of thewheelgroup.The last line in the sudoers file is set to
@includedir /etc/sudoers.dand in/etc/sudoers.dI have the following two files:000-wheelcontaining the rule%wheel ALL=(ALL:ALL) ALL001-cedriccontaining the rulecedric ALL=(ALL:ALL) NOPASSWD: ALLIf I run
sudo -kfollowed bysudo echo testthen the rule in001-cedricis correctly picked up as the last matching rule and I am not asked for a password.However if I run
sudo -kfollowed bysudo -vthen I am asked for a password, because only the rule in000-wheelis matched, even though the one in001-cedricshould override it because it comes later.If I delete the
000-wheelfile and try the same thing againsudo -k ; sudo -vthen I am not asked for a password (as I expected) sosudo -vis actually able to use the rule in001-cedricjust fine.It appears that
sudo -vis using slightly different rule selection logic.