Closed VrIgHtEr closed 9 months ago
Yes, sudo -v
is handled differently from a regular command since there may be multiple commands permitted. Here's the sudoers manual entry for the verifypw option:
sudo
with the -v
option.
It has the following possible values:
NOPASSWD
flag set to avoid
entering a password.-v
option.NOPASSWD
flag
set to avoid entering a password.-v
option.If no value is specified, a value of all is implied. Negating the option results in a value of never being used. The default value is all.
sudo -v
does not choose the same rule assudo some_command
Setup: arch linux
I have a setup where I have (among others) a user called
cedric
. It is a member of thewheel
group.The last line in the sudoers file is set to
@includedir /etc/sudoers.d
and in/etc/sudoers.d
I have the following two files:000-wheel
containing the rule%wheel ALL=(ALL:ALL) ALL
001-cedric
containing the rulecedric ALL=(ALL:ALL) NOPASSWD: ALL
If I run
sudo -k
followed bysudo echo test
then the rule in001-cedric
is correctly picked up as the last matching rule and I am not asked for a password.However if I run
sudo -k
followed bysudo -v
then I am asked for a password, because only the rule in000-wheel
is matched, even though the one in001-cedric
should override it because it comes later.If I delete the
000-wheel
file and try the same thing againsudo -k ; sudo -v
then I am not asked for a password (as I expected) sosudo -v
is actually able to use the rule in001-cedric
just fine.It appears that
sudo -v
is using slightly different rule selection logic.