2

I'm trying to make sense of the sudo documentation on the Debian Wiki. On it, it uses the two examples below. However I don't understand the difference between them. Why has the group sudo got (ALL:ALL) as compared to the (ALL) option for root? What does each part of the command do.

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

#Default rule for root.
root    ALL=(ALL) ALL
Improve this question

2 Answers 2

Reset to default
6

Eplanation for %sudo ALL=(ALL:ALL) ALL:-

  • %sudo - the group (named sudo) allowed to use sudo.

  • 1st ALL means to allow sudo from any terminal, or from any host (on any machine)

  • (ALL:ALL) indicates command can be run as (User:Group)
  • Last All means all commands can be executed

Explanation for root ALL=(ALL) ALL

  • root - the user (root) allowed to do everything on any machine as any user

Explanation for (ALL:ALL): (Run as (User:Group))

  • 1st "ALL" indicates that the user (in case of root) or group members (in case of %admin) can run commands as all users

  • 2nd "ALL" indicates that user (i.e root) or group members (i.e. of %admin) can run commands as all groups.

If only (ALL) is used then it doesn't allow to run as another group whereas (ALL:ALL) says Run as All users and All groups.

Improve this answer
7
  • So I assume that there is no point in actually having (ALL:ALL) as it does the same as putting (ALL)? Commented Jun 18, 2015 at 11:11
  • @johnsmith as my answer shows, ALL:ALL is not the same as just ALL. Commented Jun 18, 2015 at 11:14
  • @johnsmith have you read last line? Commented Jun 18, 2015 at 11:18
  • I find your answer confusing. I thought that the root settings are nothing to do with sudo. So I'm not sure why you refer to sudo in your explination of the root command. Commented Jun 18, 2015 at 11:20
  • Unless the ALL command is also used as an alias to do something with sudo, which would be super confusing, but hilarious Commented Jun 18, 2015 at 11:21
0

The difference between ALL:ALL and ALL in RunAs is the combinations of user and group that can be used. For example:

# sudo -u muru -g git id
Sorry, user root is not allowed to execute '/usr/bin/id' as muru:git on muru-laptop.
# sudo -u muru -g muru id
uid=1000(muru) gid=1000(muru) groups=1000(muru),10(wheel),21(locate),102(polkitd),190(systemd-journal)
$ sudo -u muru -g git id
uid=1000(muru) gid=997(git) groups=997(git),10(wheel),21(locate),102(polkitd),190(systemd-journal),1000(muru)
$ id    
uid=1000(muru) gid=1000(muru) groups=1000(muru),10(wheel),21(locate),102(polkitd),190(systemd-journal)

The first two commands were run as root, the third and fourth under my normal user who has (ALL:ALL).

With only ALL, -g can only be used to specify the primary group of the user - which is no better than not specifying -g at all. ALL:ALL can be used to give any combination of valid users and groups.

I don't know why this (artificial) restriction is in place.

Improve this answer
2
  • 1
    Oh man. I am a new linux user, this is way over my head. Commented Jun 18, 2015 at 11:10
  • @johnsmith <shrug> I doubt you'd have to actually use a combination this way. Most cases require just the user, or nothing at all. Commented Jun 18, 2015 at 11:13

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.